On Wed, 29 Jan 2003 13:36:55 EST, Chris Friesen said:
> Perhaps for the truly paranoid the signatures should be posted to this
> newsgroup and digitally signed by someone trusted.
It's called the PGP web of trust. There's already some 107 signatures on
the PGP key - who else would you want signing it? The point is that we've
already (presumably) proved via the web-of-trust that PGP key 517d0f0e is
in fact the proper key, and that for an intruder to post a valid signature
of a trojaned .tar.gz would require them to *ALSO* compromise the machine
that the signing is done on (hopefully a different machine than ftp.kernel.org).
Yes, an intruder could leave a forged signature with a random key easily. But
to leave a forged signature with the key that's already on my keyring is a
lot harder...
-- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
--==_Exmh_1509176846P Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001
iD8DBQE+OCOacC3lWbTT17ARAu1KAKDxk7z1drCwA4dGU1Pj4vdCf+B+HgCfermc xxknXTd1OSCM5HTifotcN7g= =Cu1g -----END PGP SIGNATURE-----
--==_Exmh_1509176846P-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/