LFS Package GPG Signature

Archaic archaic at indy.rr.com
Sun Jun 6 20:53:25 PDT 2004


On Sun, Jun 06, 2004 at 03:27:53PM -0700, Jeremy Utley wrote:
> >
> And what better place to make them available than the "official" LFS server?

Wrong. That defeats a layer of security. If Matt is signing a tarball,
then that tarball should originate on belgarath or his home computer.
It's easy to do on belgarath as then the mirrors can rsync it. Either
way, public perception is that the tarball is an official LFS release,
and as such, the public key should not be readily available to people
from the LFS server. If it is deemed necessary to keep it on the server,
at least do like kernel.org and make it CnP, and not a direct link.
Then, also as kernel.org does, the only direct link is to a keyserver.
Though the key's ASCII really should only be used as verification of
what the keyserver gave you. Redundancy is a good thing here when you
think about what a signature attempts to accomplish. While nothing is
fool-proof, the harder you make it, the better. Just ask gnu.org. :)

-- 
Archaic

The prestige of government has undoubtedly been lowered considerably by
the Prohibition law. For nothing is more destructive of respect for the
government and the law of the land than passing laws which cannot be
enforced. It is an open secret that the dangerous increase of crime in
this country is closely connected with this.

- Albert Einstein, "My First Impression of the U.S.A.", 1921




More information about the lfs-dev mailing list