l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2004 Dec 30 22:49

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: trusting downloaded code (was: [vox-tech] Installing Java)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: trusting downloaded code (was: [vox-tech] Installing Java)

Quoting Henry House (hajhouse@houseag.com):

> I've occasionally speculated that it would be really useful for
> distributions to provide a package containing all the public keys used by
> upstram maintainers (e.g., kernel.org) to sign releases. There is no
> guarantee that when I download Foo Group GmBH's latest tarball and PGP key
> from their FTP server, then verify the former against the latter, that I
> have not downloaded a compromised tarball AND conpromised PGP key. Thoughts?

I suppose that would be useful.  

Debian, for example, could have package "upstream-keyring" to go along
with their "debian-keyring" package that furnishes the gpg keys of all
registered Debian developers.  

At the same time, they may see maintaining such a package (checking
continually for revocations and compromises, etc.) as not their problem.

A more _standard_ (extant and functional) way you verify that a PGP/gpg
key is valid is via signatures in that key (and absence of a revocation
certificates) in the worldwide web of trust.  Obviously, you would not
_ever_ want to trust an upstream package _merely_ because it was
accompanied by either J. Random PGP/gpg key or an MD5 sum, as any halfway
competent intruder would fake those, too.

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.