----- Forwarded message from [EMAIL PROTECTED] ----- From: [EMAIL PROTECTED] Subject: security suggestion continued... Date: Fri, 22 Nov 2002 21:01:35 GMT To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]
Following up my prior message, I actually found a nice reference on how to verify samba distributions. That reference was written by David Lechnyr and can be found http://hr.uoregon.edu/davidrl/samba.html I've appended David's content below. Anyway my point being that somewhere on your download pages, it would be very helpful to describe how to use your signatures. And it turns out, I don't believe one can use the gui version of free PGP to do this. Maybe with the command line version of pgp... Thanks, Jerry ---- >From http://hr.uoregon.edu/davidrl/samba.html Installing Samba It's important to run the latest version of Samba. For example, a security hole has been discovered in versions 2.2.2 through 2.2.6 of Samba that could potentially allow an attacker to gain root access on the target machine. It pays to stay up to date ;-) Download the files: $ wget http://us1.samba.org/samba/ftp/samba-2.2.7.tar.gz $ wget http://us1.samba.org/samba/ftp/samba-2.2.7.tar.gz.asc These days, it's strongly recommended that you verify the PGP signature for any source file before installing it. Download the Samba PGP Public Key file from http://us1.samba.org/samba/ftp/samba-pubkey.asc and run: $ gpg --import samba-pubkey.asc $ gpg --verify samba-2.2.7.tar.gz.asc If you receive a message like, "Good signature from Samba Distribution Verification Key..." then all is well. The warnings about trust relationships can be ignored. An example of what you would not want to see would be: gpg: Signature made Mon Aug 26 19:06:30 2002 PDT using RSA key ID 628E0A02 gpg: BAD signature from "Samba Distribution Verification Key" ----- End forwarded message ----- -- Martin