Please remove MacGPG from gnupg.org due to serious security concerns
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 18 20:24:52 CET 2015
On Wed 2015-02-18 11:46:23 -0500, Doug Barton wrote:
> On 2/18/15 2:52 AM, Jonathan Schleifer wrote:
>> Well, I guess you have to take into account that a lot of downloads
>> are from packaging software like pkgsrc, FreeBSD ports, Gentoo
>> portage, ArchLinux's makepkg, etc. Usually, these do download the
>> signature and tarball once, verify it and then write a checksum to
>> the Makefile / PKGBUILD / however it is called that is then
>> verified. So I guess you can't easily map that to "Only x% of users
>> check the downloaded tarball". I guess it's a lot more, it's just not
>> all check it using the .sig.
> Back when I was involved with the FreeBSD project I included code in the
> Makefile to verify the PGP signature for all of my ports that had one,
> as did a few other maintainers. However there was not only not a
> consensus to do this more generally, there was active opposition to
> doing it at all.
that's a bummer :(
> If you are a FreeBSD user and believe that this would be something
> beneficial to the ports system, please send them e-mail at
> freebsd-ports at freebsd.org and let them know. :)
In the Debian Project, we now have a simple framework for including
upstream signing keys and automatically checking them when fetching new
If you see a debian package that could make use of this but isn't
currently configured to do so, please file a bug report in the debian
BTS (or drop me an e-mail).
If it would help with arguing the case within FreeBSD to see how debian
does it, i'm happy to talk with any FreeBSDers about it too.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 948 bytes
Desc: not available
More information about the Gnupg-users