trusting downloaded code (was: [vox-tech] Installing Java)
Richard Harke
rharke at earthlink.net
Thu Dec 30 22:52:40 PST 2004
On Thursday 30 December 2004 11:34, Rick Moen wrote:
> Quoting Henry House (hajhouse at houseag.com):
> > I've occasionally speculated that it would be really useful for
> > distributions to provide a package containing all the public keys used by
> > upstram maintainers (e.g., kernel.org) to sign releases. There is no
> > guarantee that when I download Foo Group GmBH's latest tarball and PGP
> > key from their FTP server, then verify the former against the latter,
> > that I have not downloaded a compromised tarball AND conpromised PGP key.
> > Thoughts?
>
>
> A more _standard_ (extant and functional) way you verify that a PGP/gpg
> key is valid is via signatures in that key (and absence of a revocation
> certificates) in the worldwide web of trust. Obviously, you would not
> _ever_ want to trust an upstream package _merely_ because it was
> accompanied by either J. Random PGP/gpg key or an MD5 sum, as any halfway
> competent intruder would fake those, too.
For some packages I have downloaded, the signers key is retrieved from a
different site. I also then check against a key server. This is not foolproof
but it does make the bad guys job harder. Another factor is time. If I use the
same sites over again, I may be able to check against a key I got some
time ago. Presumably, if it would have been compromised, it would have
been canceled and a new key generated.
Richard Harke
More information about the vox-tech
mailing list