Re: One for the Security Guru's

James Cleverdon (jamesclv@us.ibm.com)
Wed, 23 Oct 2002 15:14:07 -0700

On Wednesday 23 October 2002 06:59 am, Gilad Ben-ossef wrote:
> On Wed, 2002-10-23 at 15:45, Alan Cox wrote:
> > On Wed, 2002-10-23 at 14:02, Robert L. Harris wrote:
[ Snip! ]
>
> .... For example - when you
> download a new update of a kernel (or any program for that matter)
> source/patch (or binary package) from the net do you check the GPG
> signature validity? I would be VERY surprised if you answer 'yes'...
>
> :-))
>
> Gilad.

Be surprised: I run "gpg --verify foo.tgz.sign foo.tgz" every time I download
from kernel.org. And, "rpm --checksig *.rpm" on stuff from redhat.com too.

Given the recent trojaned source packages, I recommend that everyone do the
same.

= = = =

The preceding public service message has been sponsored by Anal Retentive
Sysadmins .Org (Motto: Constipation: It's not just a gob, it's a career!)

> > Alan

-- 
James Cleverdon
IBM xSeries Linux Solutions
{jamesclv(Unix, preferred), cleverdj(Notes)} at us dot ibm dot com


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/