On Wed, 29 Jan 2003 19:37:50 GMT, Russell King said:
> I believe a script signs the files on ftp.kernel.org, which means the
> private key is on the master machine, probably without a pass phrase.
> That means that if the master server is compromised, its highly likely
> that a rogue file will have a correct signature.
OK.. I missed that part, and thought somebody was doing a check-and-balance
before files went out.
> The only way to be completely sure is for Linus to gpg-sign the patches
> himself at source with a known gpg key using a secure pass phrase before
Now there's a thought.. ;)
--==_Exmh_1530471676P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE+ODBMcC3lWbTT17ARAuZ7AKCdGYUrHtMoP0ZwPOiBPYhXcf1XcACg+oTI
7OTwJIhbDvcbpFI0PQJhuwE=
=0uzb
-----END PGP SIGNATURE-----
--==_Exmh_1530471676P--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/