Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 30 Dec 2003 08:34:58 -0500 (EST)
From:      Jose Nazario <jose@monkey.org>
To:        Sergei Kolobov <sergei@FreeBSD.org>
Cc:        freebsd-ports@FreeBSD.org
Subject:   Re: RFC: automatically verify GnuPG signatures
Message-ID:  <Pine.BSO.4.58.0312300830150.1098@naughty.monkey.org>
In-Reply-To: <20031229063439.GA794@chetwood.ru>
References:  <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <Pine.BSO.4.58.0312281644350.15545@naughty.monkey.org> <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <Pine.BSO.4.58.0312281644350.15545@naughty.monkey.org> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <20031229063439.GA794@chetwood.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
i'm still against this. here's a scenario that is all too common:

you download package foo-1.2 for building with the ports tree, it has a
sig. you dont have the key, so you import it. do you trust it? you're the
discriminating sort, so you look at the signatures and you see that Jose
Nazario signed it. hey, you know him, oh, he has a key.  so you say "ok".

without tying that key back to the large, strong set of signed keys, you
don't know for sure. about 1/3 of the packages i sampled last year don't
map back to the strong set, so you can't do realistic key lookups. i gave
some presentations on this and even have a paper in JOSU on this. this is
why i am against it, the technology doesn't solve the real underlying
problem.

i do suggest a change in your design, however. dont list two DISTFILE
entries and try and work out the logic about which is a signature. have
DISTFILE and DISTFILE_SIG, then you never had to question (and potentially
make mistakes). it's also very clear to everyone what the file is.

i hope all is well.

ps: i dont use pgp. if you ever see a key from me consider it invalid and
probably compromised.

___________________________
jose nazario, ph.d.			jose@monkey.org
					http://monkey.org/~jose/
					http://infosecdaily.net/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.58.0312300830150.1098>