-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/17/2015 10:04 PM, Doug Barton wrote: > On 3/17/15 1:54 PM, Peter Lebbing wrote: >>>> -----Original Message-----
> > Assuming you get the package, the signature, and the fingerprint > from the same *.gnupg.org resources, what does that buy you? Strictly speaking there could be multiple servers hosting the various resources and only one of which is compromised. It is also quite common to download the source from mirror rather than *.gnupg.org directly > > More extensive checking would be great, but would require a lot of > documentation to teach the users how to do it ... are you > volunteering to write it? :) > Its included in every announcement[0]. Just a verification by cross-checking this information in various archives [1] mirroring the announcement reduce the likelihood of an active compromise, and is a far better to try to bootstrap a key validity in the absence of a direct key path. References: [0] http://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000362.html [1] http://permalink.gmane.org/gmane.org.fsf.announce/2278 - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- "If you choose to sail upon the seas of banking, build your bank as you would your boat, with the strength to sail safely through any storm." (Jacob Safra (1891–1963)) -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJVCLoKAAoJEP7VAChXwav6cpgIALaRMFFd4kLC7edFmkEcYTyl 2GmgxHG7wVYMI/F06DpO4ifMJPQJ/wqadTJPN4o64sjd6PEL5rvWeD+hlA8a+kyj 8PSW3ENzgKCwV72XAzqDzYnvD3i/N0ZV02Wbi0k4gc4SfS98ZPbOroqTqMHcUjVi OHh+QpnyPGBgWDAq3+MbRxscWSPQFaW9P9HzMKF5Nnu3oWz/dp327YmB1i9176Nw UoKfhFR6YoPTXBt8WN0QQWAY4ZKRYfRRn63FJYwQSXjhYbz4sn4dPZUjKvej3OH/ ziTFUig62O0owaCK7AaiSbl3qJnL+li1ve0lcnz5bnegck+aYq4ukCp9ZeEvA88= =MQjq -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
