På torsdag, 30 december 2004, skrev Rick Moen: [...] > One of the things that downstream package maintainers for distros do for > you, if they're on the ball at all, is to be at least as alert and > constructively paranoid and Andrew Brown was. They're an additional > check against _both_ quality problems and security compromise, between > you and various sorts of harm. You should make use of that protection > (and other advantages, such as distro-specific patches) preferentially, > and be aware of the need to perform personally the same sort of checks > (e.g., meaningfully verifying PGP signatures and md5sums) and > distro-specific adjustments, whenever you elect to go outside the > package system.
I've occasionally speculated that it would be really useful for distributions to provide a package containing all the public keys used by upstram maintainers (e.g., kernel.org) to sign releases. There is no guarantee that when I download Foo Group GmBH's latest tarball and PGP key from their FTP server, then verify the former against the latter, that I have not downloaded a compromised tarball AND conpromised PGP key. Thoughts? -- Henry House +1 530 753 3361 ext. 13 Please don't send me HTML mail! My mail system usually rejects it. The unintelligible text that may follow is a digital signature. See <http://hajhouse.org/pgp> to find out how to use it. My OpenPGP key: <http://hajhouse.org/hajhouse.asc>.
signature.asc
Description: Digital signature
_______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech