oss-sec mailing list archives
Re: upstream source code authenticity checking
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Sat, 04 May 2013 05:08:06 -0400
On Thu 2013-04-25 10:03:15 -0400, nicolas vigier wrote:
The good thing about PGP signed tarballs is that an automated check could be integrated in package build, with some standard macros or script to make it easy to check signature from a specific key. If it's easy and does not cost time then more packagers will do it.
For debian, this suggestion was made in http://bugs.debian.org/610712 for the "uscan" tool, which looks for new upstream releases. I've just supplied a patch to that bug with a simple implementation for the common case where the signatures are distributed alongside the tarballs with a similar name, and are made by one of a small set of known keys. It has some flaws, but it's certainly better than doing nothing. I welcome review and/or feedback and suggestions on that bug report. Regards, --dkg
Attachment:
_bin
Description:
Current thread:
- Re: upstream source code authenticity checking, (continued)
- Re: upstream source code authenticity checking Alan Coopersmith (May 02)
- Re: upstream source code authenticity checking Russ Allbery (May 02)
- Re: upstream source code authenticity checking Josh Bressers (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Marcus Meissner (Apr 26)
- Re: upstream source code authenticity checking nicolas vigier (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Florian Weimer (Apr 26)
- Re: upstream source code authenticity checking yersinia (Apr 26)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (May 04)