LFS Package GPG Signature
jeroen at linuxfromscratch.org
Mon Jun 7 10:33:16 PDT 2004
Ronald Hummelink said the following on 07-06-2004 18:27:
> Jeroen Coumans wrote:
>> Archaic said the following on 07-06-2004 13:45:
>>> It is common practice to mention on a web site how to get a public key.
>>> There is nothing wrong with having a page for it and a link in the book.
>> Agree, especially since it's a relatively new proces. Heck, I don't
>> even know how to verify a package by its md5sum, let alone how to
>> verify with a GPG key. Some basic instructions are very welcome.
> This is what falls in the command --help RTFM job, which any lfser ought
> to be capable of.
No need to get so anti-newbie, please. Just because we LFS, doesn't mean
we know everything about everything. It's hard to know what FM needs to
be read if you only get a key. If the gpg --help info is enough to get
the job done, then a reference to "gpg --help" would seem sufficient
(although I haven't tried, thus can't verify).
I've asked for such basic information because *I* never did any key
checking, thus I assume a substantial other (non-) LFS'ers haven't
either, and because the concepts which are fundamental to PKI are
non-obvious. Thus, I don't know what commands are required and I don't
know how those commands actually contribute to the secureness or
authentication of the tarball. We can't assume that anyone interested or
capable of LFS is aware of GPG keys or what they accomplish.
A one-liner which states the command to run (with reference to --help or
the Fine Manual) and a pointer to a general document would be very much
appreciated by this GPG/PKI/security newbie, and I suspect to a
significant number of LFS-ers too, as well as a large number of our
I hate to see the book abuse the RTFM-mentality in order not to provide
information about a subject, however basic it may seem to you or someone
else well-versed into the subject. The extreme side of your POV would
reduce the book to a package list with RTFM's in it! :-) If the book
won't provide such information, I'll be sure to make it available on the
site, as I'm sure there *is* a need for such information.
> I'd rather worry about the fact that the tarball is signed not being
> mentioned in the book, then provide these basic commands which are
> easily found by doing your daily RTFM. It is totally against the
> not-spoon-feed everything policy of the last years in the lfs book.
I agree that the book should mention the tarball is MD5 summed & GPG
signed. And at least *I* would appreciate a one-liner with the command
and a pointer to a general document in the book.
More information about the lfs-dev