Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Jun 2013 10:51:57 +0100
From: Simon McVittie <>
Subject: Re: Thoughts on a vuln/CVE?

On 18/06/13 07:44, Kurt Seifried wrote:
> As for the security of the repo key proving that it it is safe/not 
> compromised would be hard, I'm guessing it wasn't held on an HSM,
> and was it securely destroyed, or?

In this case the repository key is the former maintainer's personal
PGP key, which it appears he uses to sign (the same
set of packages as the former I would assume
that it is unlikely to be held on a HSM, but I don't see any reason
why it would now be less safe than it was while
was active.

Anyone who doesn't/didn't trust the maintainer of that repository (and
in particular, anyone who doesn't/didn't trust him to store keys
securely) shouldn't have added that repository's key as "trusted" in
the first place.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.