RFC: automatically verify GnuPG signatures

Jose Nazario jose at monkey.org
Tue Dec 30 05:35:00 PST 2003


i'm still against this. here's a scenario that is all too common:

you download package foo-1.2 for building with the ports tree, it has a
sig. you dont have the key, so you import it. do you trust it? you're the
discriminating sort, so you look at the signatures and you see that Jose
Nazario signed it. hey, you know him, oh, he has a key.  so you say "ok".

without tying that key back to the large, strong set of signed keys, you
don't know for sure. about 1/3 of the packages i sampled last year don't
map back to the strong set, so you can't do realistic key lookups. i gave
some presentations on this and even have a paper in JOSU on this. this is
why i am against it, the technology doesn't solve the real underlying
problem.

i do suggest a change in your design, however. dont list two DISTFILE
entries and try and work out the logic about which is a signature. have
DISTFILE and DISTFILE_SIG, then you never had to question (and potentially
make mistakes). it's also very clear to everyone what the file is.

i hope all is well.

ps: i dont use pgp. if you ever see a key from me consider it invalid and
probably compromised.

___________________________
jose nazario, ph.d.			jose at monkey.org
					http://monkey.org/~jose/
					http://infosecdaily.net/


More information about the freebsd-ports mailing list