httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars Eilebrecht <Lars.Eilebre...@unix-ag.org>
Subject PGP key (was Re: 1.3b2 tarball)
Date Tue, 21 Oct 1997 15:34:36 GMT
Hi,

> Because that is useless.  The purpose is not just to verify that mirrors
> are correct (md5 checksums do that), but also to verify that the
> distribution source hasn't been hacked.
> 
> That requires that developers independently sign it using their own key
> which is not vulnerable if taz is compromised.

If taz is compromised the key can be revoked.
Anyway a dedicated Apache Group PGP key maybe still a good idea, if it
is kept on taz or on the members private machines... (IMHO)

BTW, here is snipped from PR#1283: 

>Synopsis:       PGP Public Keys not publically registered
>Originator:     russell@pilot.net

For the suitably paranoid, it's a bad thing (tm) that current distribution
of the Apache source does not have a publically available PGP Public Key that
is associated with it (ie. looking up key A0BB71C1 fails on any public key
server).

The point of this is that, if we're really worried about source tampering on
the Apache FTP site it is conceivable that the keyfiles and signatures out there
are also prone to the same problem - put simply, if the source file on one
machine is tampered with on a given machine it's pretty reasonable to assume that
the keyfile/sigs will also be modified (ie. tampered with) therefore nullifying
the usefullness of the information they are designed to protect.
>How-To-Repeat:
Try looking up the keys on a Public Key Server (http://pgp.mit.edu/)
>Fix:
Register the keys officially (see http://pgp.mit.edu/)
>Audit-Trail:
>Unformatted:


ciao...
-- 
Lars Eilebrecht
sfx@unix-ag.org

Mime
View raw message