l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2004 Dec 30 23:07

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: trusting downloaded code (was: [vox-tech] Installing Java)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: trusting downloaded code (was: [vox-tech] Installing Java)



On Thursday 30 December 2004 11:34, Rick Moen wrote:
> Quoting Henry House (hajhouse@houseag.com):
> > I've occasionally speculated that it would be really useful for
> > distributions to provide a package containing all the public keys used by
> > upstram maintainers (e.g., kernel.org) to sign releases. There is no
> > guarantee that when I download Foo Group GmBH's latest tarball and PGP
> > key from their FTP server, then verify the former against the latter,
> > that I have not downloaded a compromised tarball AND conpromised PGP key.
> > Thoughts?
>
>
> A more _standard_ (extant and functional) way you verify that a PGP/gpg
> key is valid is via signatures in that key (and absence of a revocation
> certificates) in the worldwide web of trust.  Obviously, you would not
> _ever_ want to trust an upstream package _merely_ because it was
> accompanied by either J. Random PGP/gpg key or an MD5 sum, as any halfway
> competent intruder would fake those, too.
For some packages I have downloaded, the signers key is retrieved from a 
different site. I also then check against a key server. This is not foolproof
but it does make the bad guys job harder. Another factor is time. If I use the
same sites over again, I may be able to check against a key I got some
time ago. Presumably, if it would have been compromised, it would have
been canceled and a new key generated.

Richard Harke

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.