httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: PGP key (was Re: 1.3b2 tarball)
Date Tue, 21 Oct 1997 18:19:49 GMT
On Tue, 21 Oct 1997, Lars Eilebrecht wrote:

> Hi,
> 
> > Because that is useless.  The purpose is not just to verify that mirrors
> > are correct (md5 checksums do that), but also to verify that the
> > distribution source hasn't been hacked.
> > 
> > That requires that developers independently sign it using their own key
> > which is not vulnerable if taz is compromised.
> 
> If taz is compromised the key can be revoked.

By the point it is far too late.  If we find taz is compromised then we
damn well better verify the source distributions at that time and fix them
if they have been tampered with.  After that, revoking the key does
nothing except tell people that the key you trusted to install that
program isn't valid any more.  Haha, too late.

> Anyway a dedicated Apache Group PGP key maybe still a good idea, if it
> is kept on taz or on the members private machines... (IMHO)
> 
> BTW, here is snipped from PR#1283: 
> 
> >Synopsis:       PGP Public Keys not publically registered
> >Originator:     russell@pilot.net
> 
> For the suitably paranoid, it's a bad thing (tm) that current distribution
> of the Apache source does not have a publically available PGP Public Key that
> is associated with it (ie. looking up key A0BB71C1 fails on any public key
> server).
> 
> The point of this is that, if we're really worried about source tampering on
> the Apache FTP site it is conceivable that the keyfiles and signatures out there
> are also prone to the same problem - put simply, if the source file on one
> machine is tampered with on a given machine it's pretty reasonable to assume that
> the keyfile/sigs will also be modified (ie. tampered with) therefore nullifying
> the usefullness of the information they are designed to protect.
> >How-To-Repeat:
> Try looking up the keys on a Public Key Server (http://pgp.mit.edu/)
> >Fix:
> Register the keys officially (see http://pgp.mit.edu/)
> >Audit-Trail:
> >Unformatted:
> 
> 
> ciao...
> -- 
> Lars Eilebrecht
> sfx@unix-ag.org
> 


Mime
View raw message