LFS Package GPG Signature

Jeroen Coumans jeroen at linuxfromscratch.org
Mon Jun 7 10:33:16 PDT 2004


Ronald Hummelink said the following on 07-06-2004 18:27:
> Jeroen Coumans wrote:
> 
>> Archaic said the following on 07-06-2004 13:45:
>>>
>>> It is common practice to mention on a web site how to get a public key.
>>> There is nothing wrong with having a page for it and a link in the book.
>>
>> Agree, especially since it's a relatively new proces. Heck, I don't 
>> even know how to verify a package by its md5sum, let alone how to 
>> verify with a GPG key. Some basic instructions are very welcome.
>>
> This is what falls in the command --help RTFM job, which any lfser ought 
> to be capable of.

No need to get so anti-newbie, please. Just because we LFS, doesn't mean 
we know everything about everything. It's hard to know what FM needs to 
be read if you only get a key. If the gpg --help info is enough to get 
the job done, then a reference to "gpg --help" would seem sufficient 
(although I haven't tried, thus can't verify).

I've asked for such basic information because *I* never did any key 
checking, thus I assume a substantial other (non-) LFS'ers haven't 
either, and because the concepts which are fundamental to PKI are 
non-obvious. Thus, I don't know what commands are required and I don't 
know how those commands actually contribute to the secureness or 
authentication of the tarball. We can't assume that anyone interested or 
capable of LFS is aware of GPG keys or what they accomplish.

A one-liner which states the command to run (with reference to --help or 
the Fine Manual) and a pointer to a general document would be very much 
appreciated by this GPG/PKI/security newbie, and I suspect to a 
significant number of LFS-ers too, as well as a large number of our 
target audience.

I hate to see the book abuse the RTFM-mentality in order not to provide 
information about a subject, however basic it may seem to you or someone 
else well-versed into the subject. The extreme side of your POV would 
reduce the book to a package list with RTFM's in it! :-) If the book 
won't provide such information, I'll be sure to make it available on the 
site, as I'm sure there *is* a need for such information.

> I'd rather worry about the fact that the tarball is signed not being 
> mentioned in the book, then provide these basic commands which are 
> easily found by doing your daily RTFM. It is totally against the 
> not-spoon-feed everything policy of the last years in the lfs book.

I agree that the book should mention the tarball is MD5 summed & GPG 
signed. And at least *I* would appreciate a one-liner with the command 
and a pointer to a general document in the book.

-- 
Groeten/Greetings,
Jeroen Coumans
{faq,website}@linuxfromscratch.org
www.jeroencoumans.nl



More information about the lfs-dev mailing list