Re: Review request for oclock package (orphaned since F35)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ben Beasley wrote:
> Please compare with https://src.fedoraproject.org/rpms/xfontsel/blob/rawhide/f/xfontsel.spec, paying close attention to the comments in the spec file. SKS keyservers have gone offline since that package obtained its keyring, so try using hkps://keys.openpgp.org instead.

To elaborate on this, the procedure described in xfontsel.spec finds the
key that was used to make the signature, so whoever made the signature
becomes the trusted upstream.

If you do that *once*, it's a form of trust on first use. It lets you
discover future attacks as long as you continue using the same key,
assuming that you got the right key to begin with.

If you would repeat the key lookup every time you upgrade the package,
then you would render the verification meaningless. You'd just be
verifying that the tarball was signed by whoever signed the tarball. So
don't do that.

Björn Persson

Attachment: pgpt_OtjhV9oG.pgp
Description: OpenPGP digital signatur

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux