[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-software
Subject: Re: PGP Keys
From: Dominic Hargreaves <dominic.hargreaves () oucs ! ox ! ac ! uk>
Date: 2008-07-30 17:50:23
Message-ID: 20080730175023.GL374 () gunboat-diplomat ! oucs ! ox ! ac ! uk
[Download RAW message or body]
On Wed, Jul 30, 2008 at 06:16:20PM +0100, Kurt Zeilenga wrote:
>
> On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote:
>
> >Do anybody knows where I could get the PGP keys to verify the
> >integrity of the source code I downloaded from a mirror?
>
> PGP is not used to sign releases or release announcements.
>
> To verify the integrity of a tarball download from ftp.openldap.org or
> a mirror, you can check it against the SSHA1 and/or MD5 hashes
> published as part of the announcement for the release (posted to
> openldap-announce@openldap.org , archived in that list's archives).
>
> Hash verification is not intended to detect instances where
> openldap.org hosted services have been hijacked or otherwise seriously
> compromised.
However only offering the option to verify the hashes using unsigned
emails or non-https publications on a web site is offering up many
more attack vectors.
PGP-signing the hashes would solve this problem and is bog standard
practice in many (most?) projects and I would like to see it offered by
OpenLDAP.
Cheers,
Dominic.
--
Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic