www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Russell M.Van Tassell <russ...@pilot.net>
Subject documentation/1283: PGP Public Keys not publically registered
Date Mon, 20 Oct 1997 23:15:24 GMT

>Number:         1283
>Category:       documentation
>Synopsis:       PGP Public Keys not publically registered
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          doc-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Oct 20 16:20:00 PDT 1997
>Originator:     russell@pilot.net
>Release:        1.3b2 (all?)
n/a (all)
For the suitably paranoid, it's a bad thing (tm) that current distribution of
the Apache source does not have a publically available PGP Public Key that is
associated with it (ie. looking up key A0BB71C1 fails on any public key server).

The point of this is that, if we're really worried about source tampering on the
Apache FTP site it is conceivable that the keyfiles and signatures out there are
also prone to the same problem - put simply, if the source file on one machine
is tampered with on a given machine it's pretty reasonable to assume that the
keyfile/sigs will also be modified (ie. tampered with) therefore nullifying the
usefullness of the information they are designed to protect.
Try looking up the keys on a Public Key Server (http://pgp.mit.edu/)
Register the keys officially (see http://pgp.mit.edu/)

View raw message