ftp site

[Rick Thomas]

Nathan,

I don't understand.  If the package (wherever I got it from...) is GPG
signed by the private key for which I have (and trust) the public key, how
can it be untrustworthy?

Maybe a link to "the recent trojaning of various OSS packages from the ftp
site in the last month" discussion would clear things up?

Rick



On 3/6/03 8:45 AM, "nathan r. hruby" <nathan@drama.uga.edu> wrote:

> On Thu, 6 Mar 2003, Chris Croome wrote:
> 
>> Hi
>> 
>> On Wed 05-Mar-2003 at 11:53:36 -0500, nathan r. hruby wrote:
>>> 
>>> Ick.  No.  p2p is nice, but unless you can ensure that the packages
>>> haven't been tampered with, I want my updates from an official (or at
>>> least "trusted") mirror or source.
>> 
>> Isn't GPG/PGP signing of packages good enough for this?
>> 
> 
> No.  I want things from a trusted source as well as gpg signed.  Even
> trusted sources can sometimes be corrupt -- see the recent trojaning of
> various OSS packages from the ftp site in the last month.
> 
> p2p is a nice paradigm, don't get me wrong, just inappropriate for
> trustworthy transactions at the current time (mainly becasue lack of a
> identity/trust mechanism.. add a really good trust framework and it'll be
> the perfect thing; however I don't see that happening as for trust to be
> established, you need to have an identity to trust and identities are very
> under-rated in today's world - esp. when all you want is to trade some
> mp3's)
> 
> -n