Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 02 May 2013 11:19:49 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Alistair Crooks <agc@...src.org>
Subject: Re: upstream source code authenticity checking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/02/2013 09:24 AM, Alistair Crooks wrote:
> And if you seriously think someone who searches for my public key
> on a webserver, or through mail, or business card, etc, downloads
> my public key from one of the servers, imports it into their own
> pubring, signs it with their own private key, then mails it to me,
> or uploads it to one of the key servers, all without trusting me in
> any way, then I'll show you a pretty awful stalker (and fairly
> inefficient one, due to the need to sign my pubkey), a fan boy
> (which is hardly likely to happen in my case), or someone who is
> rather sad. (I'm discounting impaired judgement due to the baroque
> processes involved here, sorry xkcd).


http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x160D45535E267993

It happens, I have no idea who Rafael Alfredo Capucho
<rafael.capucho@...il.com> is.

> 
> i.e. no-one goes to that kind of trouble just to say "I know this 
> person" - that's what facebook and google+ are for.
> 
> Regards, Alistair
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRgqA0AAoJEBYNRVNeJnmTzKcP/2CpEfgyC7tm8nMgPcK62ZWK
1sKctmYKbUiv/UIhXR92CyoT/A94Tqi0rZmdj5uCVpyrvyy/T/99WyNUMsv/s5Nf
zeoEVgdI5+ErayhusJ5MjxgvRHRlmT/JMYDPuxkXB4ePhnWihndbUjHZyEPEa3Py
JkAA4fveTTM1lE17W1ZQbAJTLfa1+0Tzr3OvpzUu7axpBktJJ0LgeaJrHteqpi5j
fizKWSznTXvKFwxS7YUmed1un2VA4fnlRQ9MXFxyowzWBJ6ujf1D0F6lCRn3S9SO
mmFrkXqGmmk66UN/R8vCictGhXSBm5B/V4+bBXl6tegoHM/7nDpMh40nXRvjAoa8
PErtrgD5vkC/NnCK3Nuwnz8tpXe8BXHfwOWblcT47KcpzP3+czzclTTyivJpWLP2
XvfvUL9GoOr7AL3BMxux5QN9gpPfPK0LUls8T+GCqBrPdzmyuupHSpbd44TG6h6r
sSzG5nraQIKJBYcf2/ANdmNtF8noxBJkK37/1EhfnhJzaLNO/il43Rt0FT5jQ/El
Je4kZu53clZBm5N0oguLl/gHb7dX1TwyqCkuWuQ7qfs6IzI59HM/puSKyWFONIUt
/7aqDxEahHZxK3rMOZuSj570UgIkXGvourH6130ue1Awa1htn/ivniOOBMiemvnK
1A34F5DQzDxqez/NfBKJ
=9FnX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.