Date: Sat, 04 May 2013 05:08:06 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: nicolas vigier <boklm@...s-attacks.org>, oss-security@...ts.openwall.com Subject: Re: upstream source code authenticity checking On Thu 2013-04-25 10:03:15 -0400, nicolas vigier wrote: > The good thing about PGP signed tarballs is that an automated check > could be integrated in package build, with some standard macros or > script to make it easy to check signature from a specific key. If it's > easy and does not cost time then more packagers will do it. For debian, this suggestion was made in http://bugs.debian.org/610712 for the "uscan" tool, which looks for new upstream releases. I've just supplied a patch to that bug with a simple implementation for the common case where the signatures are distributed alongside the tarballs with a similar name, and are made by one of a small set of known keys. It has some flaws, but it's certainly better than doing nothing. I welcome review and/or feedback and suggestions on that bug report. Regards, --dkg Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.