From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Allan Webber Subject: Re: Checking signatures on source tarballs Date: Sun, 21 Feb 2016 20:20:04 -0800 Message-ID: <8760xh4bst.fsf@dustycloud.org> References: <1443791046-1015-1-git-send-email-alezost@gmail.com> <1443791046-1015-3-git-send-email-alezost@gmail.com> <87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com> <87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com> <87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com> <8737xntorr.fsf_-_@netris.org> <87k2qy7uj7.fsf@gnu.org> <87io6iojmf.fsf@netris.org> <87bnca2y59.fsf@gnu.org> <87y4fdtwi1.fsf@inria.fr> <1444639029.2637.49.camel@invergo.net> <87mvvoavnb.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53274) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aXhyj-0000XY-4p for guix-devel@gnu.org; Sun, 21 Feb 2016 23:20:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aXhyi-00043D-1h for guix-devel@gnu.org; Sun, 21 Feb 2016 23:20:09 -0500 In-reply-to: <87mvvoavnb.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org, bug-gsrc@gnu.org, Brandon Invergo , Alex Kost Ludovic Court=C3=A8s writes: > Brandon Invergo skribis: > >> Hi everyone, >> >> On Thu, 2015-10-08 at 13:44 +0200, Ludovic Court=C3=A8s wrote: >> >>> Actually I see that GSRC already maintains per-package keyrings. >>>=20 >>> How is this maintained, Brandon? That is, where do you get informati= on >>> on which keys to put in the keyring, etc.? >> >> Admittedly, it's not ideal. When we first add a package, we make a >> keyring for it based on whatever information is available to us. >> Sometimes the public key is listed in the release announcement. Other >> times, we just have to grab the public key of whatever we see the >> package was signed with. Obviously, that's not very secure since it >> could have been signed by an attacker. However usually this process i= s >> only performed when adding a new (to GNU) package. Then, if the >> signature-checking process ever fails on future releases, I actually >> look into it. Sometimes, no public key is available in any of the key >> servers as far as I can tell. In those cases, we ignore the signature= . > > OK. That=E2=80=99s roughly what Mark suggests that we do in Guix, an > improvement over the current situation. > > Thanks for your feedback! > > Ludo=E2=80=99. Extra reasons to want to do signature based verification: http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installi= ng-linux-mint-backdoor/ ... be careful out there! - Chris