Please remove MacGPG from gnupg.org due to serious security concerns

[Daniel Kahn Gillmor]

On Wed 2015-02-18 11:46:23 -0500, Doug Barton wrote:
> On 2/18/15 2:52 AM, Jonathan Schleifer wrote:
>> Well, I guess you have to take into account that a lot of downloads
>> are from packaging software like pkgsrc, FreeBSD ports, Gentoo
>> portage, ArchLinux's makepkg, etc. Usually, these do download the
>> signature and tarball once, verify it and then write a checksum to
>> the Makefile / PKGBUILD / however it is called that is then
>> verified. So I guess you can't easily map that to "Only x% of users
>> check the downloaded tarball". I guess it's a lot more, it's just not
>> all check it using the .sig.
>
> Back when I was involved with the FreeBSD project I included code in the 
> Makefile to verify the PGP signature for all of my ports that had one, 
> as did a few other maintainers. However there was not only not a 
> consensus to do this more generally, there was active opposition to 
> doing it at all.

that's a bummer :( 

> If you are a FreeBSD user and believe that this would be something 
> beneficial to the ports system, please send them e-mail at 
> freebsd-ports at freebsd.org and let them know. :)

In the Debian Project, we now have a simple framework for including
upstream signing keys and automatically checking them when fetching new
downloads:

  https://wiki.debian.org/debian/watch#Cryptographic_signature_verification

If you see a debian package that could make use of this but isn't
currently configured to do so, please file a bug report in the debian
BTS (or drop me an e-mail).

If it would help with arguing the case within FreeBSD to see how debian
does it, i'm happy to talk with any FreeBSDers about it too.

Regards,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150218/bdd642bb/attachment.sig>