FWD: [OCLUG] GNU ftp servers compromised!
David Shaw
dshaw@jabberwocky.com
Sun Aug 24 00:50:01 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Aug 17, 2003 at 09:56:31PM -0700, carl w spitzer wrote:
> What does this mean for reliability? did the gestapo(hommeland security)
> do something?
It means nothing in regards to GnuPG. GnuPG is not hosted on
ftp.gnu.org, and even if it was, each and every GnuPG release is
digitally signed by Werner. It is not possible to trojan a release
without invalidating the signature.
(Someone will shortly respond to this mail to ask "How do I know it's
really Werner's key. I have no trust path to him." The answer is
even if you don't have a trust path to that key, it would be
extraordinarily difficult to replace the dozens of copies of that key
in various places around the net. Each keyserver has it, many
previous releases of GnuPG have it, etc.)
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc2 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iEYEARECAAYFAj9H7+cACgkQ4mZch0nhy8la+ACgnRnpUFBKVX1WozPrn3dxFJRh
bUIAoJ8ScgaTcZnZMm4yRjKtJJWGxFm3
=uZx/
-----END PGP SIGNATURE-----