rperry4 at earthlink.net
Wed Mar 17 16:04:47 PST 2004
Kris Kennaway wrote:
>On Wed, Mar 17, 2004 at 04:22:59PM -0500, Bob Perry wrote:
>>I'm at the stage now, where I need to validate and certify the Security
>>PGP key before I can verify the signature. Documentation suggests
>>the key during a phone call." Later, there is the reality that "If you
>>don't know the
>>owner of the public key you are really in trouble."
>>Is there some recommended course to follow when it comes to handling these
>>FreeBSD security patches?
>The point of doing that is that you need to verify to your own
>satisfaction that the key that says "FreeBSD Security Officer" really
>comes from the FreeBSD Security Officer, and not Joe Evil who is
>trying to convince you to run malicious code on your system in the
>name of a security patch.
>How much convincing you need is up to you
I think I was born paranoid. Odds are I was looking both ways before even
considering poking my head into this world.
>- if you are happy with
>comparing the key fingerprint included in copies of the documentation,
>you can look at the copy in the FreeBSD Handbook on a FreeBSD CD, the
>copy that was probably installed with your system, or versions on the
>web. If you really want to talk to the security officer to verify his
>key, you can email him to arrange a phonecall. Of course, then you're
>trusting the email and phone system, etc :-) 
> Security is hard, there are no magic solutions - the best you can
>do is to minimize the level of risk to an level that is acceptable to
That became apparent once I stopped whining.
I've learned that whatever hits the fan will not be evenly
FreeBSD 4.9-RELEASE-p2 #0
More information about the freebsd-questions