Date: Thu, 10 Oct 2002 14:31:31 +1300 (NZDT) From: Andrew McNaughton <andrew@scoop.co.nz> To: Garrett Wollman <wollman@lcs.mit.edu> Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server Message-ID: <20021010142806.G63299-100000@a2.scoop.co.nz> In-Reply-To: <200210100114.g9A1EJKZ059028@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 9 Oct 2002, Garrett Wollman wrote: > <<On Thu, 10 Oct 2002 12:31:24 +1300 (NZDT), Andrew McNaughton <andrew@scoop.co.nz> said: > > > be kept, but would it be worthwhile to add PGP signatures to ports? > > Most people have no better connection to the PGP Web of Trust than > they do to the FreeBSD CVS repository, so there is effectively no > difference. That is to say, I can make a signature that claims to be > signed by "Andrew McNaughton <andrew@scoop.co.nz>" almost as easily as > I can make an unsigned MD5 checksum. Only people who have already > been introduced to your real PGP key would know the difference. Given that the ports are distributed by FreeBSD.org, it would only be necessary to have one signing key which signs the signatures that are expected to match the tarballs. The public master key could be distributed once, and present on any newly installed system. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021010142806.G63299-100000>