On Tue, Dec 09, 2008 at 06:46:58PM -0500, Micah Anderson wrote: > I've created documentation in the ticket[0] on this issue about how to > get a release signing key setup and how to get it deployed into the > release process for puppet. I am very interested in any comments for how > to improve this process, how to make it more clear, or if there are any > glaring omissions. > > I've also created a wiki page which details how people who download the > archive could cryptographically verify it[1], I'd also be interested in > discussion or ideas about this! > > 0. http://projects.reductivelabs.com/issues/show/1777 > 1. http://reductivelabs.com/trac/puppet/wiki/VerifyingDownloads
This is great stuff.
I think, however, that it may look overly complicated from a user not
too familiar with PGP. It's basically steps to create a private key
specifically to sign the releases.
I want to underline that the only step required on new releases is this:
$ gpg --homedir $HOME/release_key --detach-sign --output
puppet-0.24.7.tar.gz.sign --armor puppet-0.24.7.tar.gz
Fairly simple.
If that's too complicated, MD5 sums can also be used, but they must be
signed by someone with a PGP key somewhere, and that key must be well
place enough in the web of trust for this to work.
MD5 sums alone are not enough anymore. They were useful at some point
when you were downloading ISOs or big tarballs and wanted to check that
the FTP transfer didn't break anything, but nowadays, it's mostly
useless: if you can corrupt the tarball, you can regen the MD5.
A.
--
Freedom is being able to make decisions that affect mainly you. Power
is being able to make decisions that affect others more than you. If
we confuse power with freedom, we will fail to uphold real freedom.
- Richard Stallman
signature.asc
Description: Digital signature
