Re: kernel.org frontpage

Russell King (rmk@arm.linux.org.uk)
Wed, 29 Jan 2003 19:37:50 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Howard Shane: "kernel craps out accessing Sony CDRW with ide-scsi"
Previous message: H. Peter Anvin: "Re: kernel.org frontpage"
In reply to: Valdis.Kletnieks@vt.edu: "Re: kernel.org frontpage"

On Wed, Jan 29, 2003 at 01:55:22PM -0500, Valdis.Kletnieks@vt.edu wrote:
> Yes, an intruder could leave a forged signature with a random key
> easily. But to leave a forged signature with the key that's already
> on my keyring is a lot harder...

I believe a script signs the files on ftp.kernel.org, which means the
private key is on the master machine, probably without a pass phrase.
That means that if the master server is compromised, its highly likely
that a rogue file will have a correct signature.

As hpa says, the GPG signature provides no assurance that Linus put
up patch-2.5.60.bz2 and not some random other person.

The only way to be completely sure is for Linus to gpg-sign the patches
himself at source with a known gpg key using a secure pass phrase before
they leave his machine (preferably before the machine is connected to
the 'net to upload them for the really paranoid.)

-- Russell King (rmk@arm.linux.org.uk) The developer of ARM Linux http://www.arm.linux.org.uk/personal/aboutme.html

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: Howard Shane: "kernel craps out accessing Sony CDRW with ide-scsi"
Previous message: H. Peter Anvin: "Re: kernel.org frontpage"
In reply to: Valdis.Kletnieks@vt.edu: "Re: kernel.org frontpage"