[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: KDE SC 4.5.1 packages available


On antradienis 14 Rugsėjis 2010 13:09:37 Torsten Grote wrote:
> Another note on security:
> pkg-kde-archive-keyring seems to be hosted on the same repository it is
> supposed to verify the trustworthiness of and it is not signed with an
> already trusted key. Installing an untrusted key and trust that for all
> KDE packages is pointless for security.

Well, frankly, pkg-kde-archive-keyring is not a very good example of security, 
but imho it is good enough for this purpose. It is there mostly to shut 
apt/aptitude up. Have in mind that you already trust the repository enough by 
adding it to sources.list.

However, you are still somewhat protected from man-in-the-middle attacks. The 
archive key is signed by me and my key is in the debian developers keyring so 
you can always validate pkg-kde-archive-keyring package.

$ gpg --no-default-keyring --keyring /usr/share/keyrings/pkg-kde-archive-
keyring.gpg --list-sigs E79C8BAB
pub   4096R/E79C8BAB 2010-03-05
uid                  Debian pkg-kde repository signing key (http://pkg-
kde.alioth.debian.org/) <debian-qt-kde@lists.debian.org>
sig 3        E79C8BAB 2010-03-05  Debian pkg-kde repository signing key 
(http://pkg-kde.alioth.debian.org/) <debian-qt-kde@lists.debian.org>
sig          73EAE214 2010-03-05  [User ID not found]

Modestas Vainius <modestas@vainius.eu>

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: