[Date Prev][Date Next]
Re: (ITS#5639) Digital (PGP-)signature for downloadable sources
Kurt Zeilenga wrote:
> For instance, web_ldap says it provides a signature for a digital
> release, but clicking on the link provides a page which says "Not
I knew this (transition during a major OS update on my local machine).
> But, as I noted with hashes, the fact that release messages are widely
> published may make it more likely that such problems will be detected.
Hashes have to be validated out-of-band each time a new release is
published. The trusted keys be have to be validated out-of-band only
each time a new trust anchor key is generated.
> For instance, one does need to consider that
> the host to sign the releases might itself been taken over and the
> implications of such a takeover.
There is no 100% security. I already know this. But raising security
level is always an desirable goal.
> Anyways, for this to go anywhere, I think you or others advocating it
> need to more precisely state which attacks you concerned about, how you
> think digital signatures will help, and detail requirements on that
> signing (in particular, requirements on signing key so trust can be
> established and maintained).
I have no objections against a single release manager using his personal
key or a dedicated key for OpenLDAP tar.gz signing stored in your local
file system reasonably protected by a passphrase. As I see it you're the
only one packaging the tar.gz. So this should not be too difficult for
you. Well, if you don't want to do that then just leave it...
> Note that these are human-factor attacks, not attacks based upon any
> weakness in the PGP signing standards or implementations.
I already know that.