[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PGP Keys

To: openldap-software@openldap.org
Subject: Re: PGP Keys
From: Michael Ströder <michael@stroeder.com>
Date: Sun, 03 Aug 2008 12:40:48 +0200
In-reply-to: <20080730175023.GL374@gunboat-diplomat.oucs.ox.ac.uk>
References: <9DD36C99332AB7438F8D73C048D8C62C012B0AB4@sneezy.ad.e-dialog.com> <2EEEF37F-D7C3-439F-96B9-D5D160FBF7D1@OpenLDAP.org> <20080730175023.GL374@gunboat-diplomat.oucs.ox.ac.uk>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080702 SeaMonkey/1.1.11

Dominic Hargreaves wrote:

On Wed, Jul 30, 2008 at 06:16:20PM +0100, Kurt Zeilenga wrote:
On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote:
Do anybody knows where I could get the PGP keys to verify the integrity of the source code I downloaded from a mirror?
PGP is not used to sign releases or release announcements.
To verify the integrity of a tarball download from ftp.openldap.org or a mirror, you can check it against the SSHA1 and/or MD5 hashes published as part of the announcement for the release (posted to openldap-announce@openldap.org , archived in that list's archives).

Hash verification is not intended to detect instances where openldap.org hosted services have been hijacked or otherwise seriously compromised.
However only offering the option to verify the hashes using unsigned
emails or non-https publications on a web site is offering up many
more attack vectors.
PGP-signing the hashes would solve this problem and is bog standard
practice in many (most?) projects and I would like to see it offered by
OpenLDAP.

I'd support the approach with digitally signing the source tar.gz files. I'm doing it for years when releasing web2ldap source packages. It's just part of a simple script. Therefore I've filed ITS#5639 for that.

Ciao, Michael.

Prev by Date: Re: Reset LDAP Password for root
Next by Date: slapo-chain and propagation delay
Index(es):
- Chronological
- Thread