Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 3065 invoked by uid 6000); 21 Oct 1997 15:35:13 -0000
Received: (qmail 3046 invoked from network); 21 Oct 1997 15:35:09 -0000
Received: from harley.unix-ag.uni-siegen.de (141.99.42.44)
  by taz.hyperreal.org with SMTP; 21 Oct 1997 15:35:09 -0000
Received: from plus.unix-ag.uni-siegen.de (sfx@plus.unix-ag.uni-siegen.de
 [141.99.42.200]) by harley.unix-ag.uni-siegen.de (Mailhost) with ESMTP id
 RAA23274 for <new-httpd@apache.org>; Tue, 21 Oct 1997 17:34:39 +0200
From: Lars Eilebrecht <Lars.Eilebrecht@unix-ag.org>
Received: (from sfx@localhost) by plus.unix-ag.uni-siegen.de (Forwarder) id
 RAA01110 for new-httpd@apache.org; Tue, 21 Oct 1997 17:34:37 +0200
Message-Id: <199710211534.RAA01110@plus.unix-ag.uni-siegen.de>
Subject: PGP key (was Re: 1.3b2 tarball)
In-Reply-To: <Pine.BSF.3.95q.971020153359.23436D-100000@valis.worldgate.com>
 from Marc Slemko at "Oct 20, 97 03:35:32 pm"
To: new-httpd@apache.org
Date: Tue, 21 Oct 1997 17:34:36 +0200 (MET DST)
X-Mailer: ELM [version 2.4ME+ PL35 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

Hi,

> Because that is useless.  The purpose is not just to verify that mirrors
> are correct (md5 checksums do that), but also to verify that the
> distribution source hasn't been hacked.
> 
> That requires that developers independently sign it using their own key
> which is not vulnerable if taz is compromised.

If taz is compromised the key can be revoked.
Anyway a dedicated Apache Group PGP key maybe still a good idea, if it
is kept on taz or on the members private machines... (IMHO)

BTW, here is snipped from PR#1283: 

>Synopsis:       PGP Public Keys not publically registered
>Originator:     russell@pilot.net

For the suitably paranoid, it's a bad thing (tm) that current distribution
of the Apache source does not have a publically available PGP Public Key that
is associated with it (ie. looking up key A0BB71C1 fails on any public key
server).

The point of this is that, if we're really worried about source tampering on
the Apache FTP site it is conceivable that the keyfiles and signatures out there
are also prone to the same problem - put simply, if the source file on one
machine is tampered with on a given machine it's pretty reasonable to assume that
the keyfile/sigs will also be modified (ie. tampered with) therefore nullifying
the usefullness of the information they are designed to protect.
>How-To-Repeat:
Try looking up the keys on a Public Key Server (http://pgp.mit.edu/)
>Fix:
Register the keys officially (see http://pgp.mit.edu/)
>Audit-Trail:
>Unformatted:


ciao...
-- 
Lars Eilebrecht
sfx@unix-ag.org