Date: Sun, 22 Mar 2015 19:35:21 +0000 From: Jeremy Stanley <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: Re: CVE for Kali Linux On 2015-03-22 20:19:00 +0100 (+0100), Kristian Fiskerstrand wrote: [...] > The package being signing using the same key over > time signifies that it is coming from authoritative source (unless > you've been MITMed a long time), the fingerprint of the OpenPGP key > should be included in email announcements and other documents that are > being mirrored by multiple sources, reducing the likelihood of a MITM > if corresponding information is the same in multiple archives over a > long time. [...] And the repository signing key is hopefully also published to a well-known keyserver network along with signatures from maintainers of the primary distribution repository, some of whom may be known (either directly or transitively via other key signatures) to the end user. And repository signing keys can be gradually replaced by generating new keys well in advance and signing them with the old keys as a transition, then adding them to the trust keyring long enough before the current key is retired that clients already have it once it starts to get used. -- Jeremy Stanley Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.