Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 05/17/2004 14:09:00
I have a suggestion which may be heretical, but seems reasonable to me:
why not sign things with GPG, PGP, nbsvtool, and whatever other forms
of sigature we think have wide enough acceptance to be worth using?
(S/MIME, maybe?) The nbsvtool (or whatever) signatures can be checked
by the NetBSD tools, with any of them checkable by humans who want to
make sure they've got a clean distribution when they have it on some
other (non-NetBSD) machine.
The truly paranoid, of course, will check them all, which is as it
should be; as someone pointed out, having more signatures cannot make
the file itself less secure - at most they can lead to a false sense of
security, and I don't think that's a danger when providing a half-dozen
different forms of signature over the same files.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML email@example.com
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B