On Thursday 30 December 2004 11:34, Rick Moen wrote: > Quoting Henry House ([EMAIL PROTECTED]): > > I've occasionally speculated that it would be really useful for > > distributions to provide a package containing all the public keys used by > > upstram maintainers (e.g., kernel.org) to sign releases. There is no > > guarantee that when I download Foo Group GmBH's latest tarball and PGP > > key from their FTP server, then verify the former against the latter, > > that I have not downloaded a compromised tarball AND conpromised PGP key. > > Thoughts? > > > A more _standard_ (extant and functional) way you verify that a PGP/gpg > key is valid is via signatures in that key (and absence of a revocation > certificates) in the worldwide web of trust. Obviously, you would not > _ever_ want to trust an upstream package _merely_ because it was > accompanied by either J. Random PGP/gpg key or an MD5 sum, as any halfway > competent intruder would fake those, too. For some packages I have downloaded, the signers key is retrieved from a different site. I also then check against a key server. This is not foolproof but it does make the bad guys job harder. Another factor is time. If I use the same sites over again, I may be able to check against a key I got some time ago. Presumably, if it would have been compromised, it would have been canceled and a new key generated.
Richard Harke _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech