|
Message-ID: <20150322193521.GA2456@yuggoth.org>
Date: Sun, 22 Mar 2015 19:35:21 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE for Kali Linux
On 2015-03-22 20:19:00 +0100 (+0100), Kristian Fiskerstrand wrote:
[...]
> The package being signing using the same key over
> time signifies that it is coming from authoritative source (unless
> you've been MITMed a long time), the fingerprint of the OpenPGP key
> should be included in email announcements and other documents that are
> being mirrored by multiple sources, reducing the likelihood of a MITM
> if corresponding information is the same in multiple archives over a
> long time.
[...]
And the repository signing key is hopefully also published to a
well-known keyserver network along with signatures from maintainers
of the primary distribution repository, some of whom may be known
(either directly or transitively via other key signatures) to the
end user. And repository signing keys can be gradually replaced by
generating new keys well in advance and signing them with the old
keys as a transition, then adding them to the trust keyring long
enough before the current key is retired that clients already have
it once it starts to get used.
--
Jeremy Stanley
Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.