oss-sec mailing list archives
Re: CVE for Kali Linux
From: Jeremy Stanley <fungi () yuggoth org>
Date: Sun, 22 Mar 2015 19:35:21 +0000
On 2015-03-22 20:19:00 +0100 (+0100), Kristian Fiskerstrand wrote: [...]
The package being signing using the same key over time signifies that it is coming from authoritative source (unless you've been MITMed a long time), the fingerprint of the OpenPGP key should be included in email announcements and other documents that are being mirrored by multiple sources, reducing the likelihood of a MITM if corresponding information is the same in multiple archives over a long time.
[...] And the repository signing key is hopefully also published to a well-known keyserver network along with signatures from maintainers of the primary distribution repository, some of whom may be known (either directly or transitively via other key signatures) to the end user. And repository signing keys can be gradually replaced by generating new keys well in advance and signing them with the old keys as a transition, then adding them to the trust keyring long enough before the current key is retired that clients already have it once it starts to get used. -- Jeremy Stanley
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: CVE for Kali Linux, (continued)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Donald Stufft (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Kristian Fiskerstrand (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Stephen Kitt (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)