Date: Sun, 22 Mar 2015 00:24:58 -0400 From: Daniel Micay <danielmicay@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE for Kali Linux > Windows users are also left out without this: they don't have GPG, and > they don't have a secure way to obtain GPG. http://www.gpg4win.org/ http://sourceforge.net/projects/msys2/ Not even HTTPS *without* HSTS + HPKP. Gpg4win did get part of the way there but didn't grab a free certificate from GlobalSign or StartSSL. The official gnupg site uses ftp with... GPG signatures. I guess you're supposed to validate that the GPG installer you've downloaded is valid by running the GPG installer? :P https://www.gnupg.org/download/ Is there actually a way for a Windows user to obtain it securely? GPG simply doesn't work here, even if you assume that users are going to take extra steps to verify the download. You have to rely on HTTPS (or HKPS) to obtain the GPG key anyway, so I don't see the point in pushing for it here. It's fantastic for package signing, sure :). Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.