[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#732450: debian/watch: help uscan verify PGP signature automatically


On 23.12.2013 17:48, Daniel Kahn Gillmor wrote:
> But if apache is issuing cryptographic signatures from any of the weak
> keys in KEYS, we should encourage them to stop doing so.  Apache's
> source code is a high-value target, and we should not leave the software
> distribution mechanism open to fiddling based on weak keys for
> cryptographic certifications.
> I recommend filtering KEYS by removing every key whose primary key (or
> any signing-capable subkey) is less than 3072 bits (assuming RSA or DSA
> keys here) before storing it in debian/upstream-signing-key,pgp.

I'm absolutely with you on that. I strongly agree that Apache people
should use stronger keys. However, we're a distribution - it's not our
job to define key requirements for upstreams. We can, and maybe should
talk to them on that matter but technically it's not only Jim to be
allowed to release new versions of the Apache web server.  That being
said, it's them to accept/define valid and legit keys used within their

Therefore, I thought a more complete patch would be a keyring which
includes all signatures of people allowed to sign and release code on
behalf of the httpd project.

I do not mind removing "weak" keys again, but then I wonder if there is
an actual benefit if Jim for once doesn't sign a release.

Either way, we should move this discussion to upstream I guess.

with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: