oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE for Kali Linux

From: Jeremy Stanley <fungi () yuggoth org>
Date: Sun, 22 Mar 2015 19:35:21 +0000
On 2015-03-22 20:19:00 +0100 (+0100), Kristian Fiskerstrand wrote:
[...]

The package being signing using the same key over
time signifies that it is coming from authoritative source (unless
you've been MITMed a long time), the fingerprint of the OpenPGP key
should be included in email announcements and other documents that are
being mirrored by multiple sources, reducing the likelihood of a MITM
if corresponding information is the same in multiple archives over a
long time.

[...]

And the repository signing key is hopefully also published to a
well-known keyserver network along with signatures from maintainers
of the primary distribution repository, some of whom may be known
(either directly or transitively via other key signatures) to the
end user. And repository signing keys can be gradually replaced by
generating new keys well in advance and signing them with the old
keys as a transition, then adding them to the trust keyring long
enough before the current key is retired that clients already have
it once it starts to get used.
-- 
Jeremy Stanley

Attachment: signature.asc
Description: Digital signature

Previous By Date Next
Previous By Thread Next

Current thread: