It is currently Thu, 29 Oct 2020 13:10:01 GMT



 
Author Message
 kernel.org frontpage
Just in case anyone cares :) I have changed the kernel.org frontpage
from linking to .gz to linking to .bz2 files.  It should now also
display snapshot releases if they exist.

        -hpa
--
<h...@transmeta.com> at work, <h...@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.**-**.com/ ~hpa/puzzle.txt   <a...@zytor.com>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at   http://www.**-**.com/
Please read the FAQ at   http://www.**-**.com/



 Sun, 17 Jul 2005 06:50:05 GMT   
 kernel.org frontpage

Cool, would it be worth putting in a link to the relevant .sign files
as well?

John
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 10:50:16 GMT   
 kernel.org frontpage

No, it would add absolutely nothing (other than clutter.)  All the .sign
files are good for is to check for rogue mirrors.

        -hpa

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 11:00:27 GMT   
 kernel.org frontpage

On Wed, 29 Jan 2003 01:52:43 PST, "H. Peter Anvin" said:

Or a rogue *primary* site, as has already happened to OpenSSH and Sendmail.

  application_pgp-signature_part
< 1K Download


 Sun, 17 Jul 2005 16:20:13 GMT   
 kernel.org frontpage

NO!

THE SIGN FILES DO NOT VERIFY AGAINST A COMPROMISED KERNEL.ORG MASTER SITE.

        -hpa

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 19:20:13 GMT   
 kernel.org frontpage

Perhaps for the truly paranoid the signatures should be posted to this
newsgroup and digitally signed by someone trusted.

Chris

--
Chris Friesen                    | MailStop: 043/33/F10
Nortel Networks                  | work: (613) 765-0557
3500 Carling Avenue              | fax:  (613) 765-2986
Nepean, ON K2H 8E9 Canada        | email: cfrie...@nortelnetworks.com

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 19:40:11 GMT   
 kernel.org frontpage

On Wed, 29 Jan 2003 13:36:55 EST, Chris Friesen said:

It's called the PGP web of trust.  There's already some 107 signatures on
the PGP key - who else would you want signing it?  The point is that we've
already (presumably) proved via the web-of-trust that PGP key 517d0f0e is
in fact the proper key, and that for an intruder to post a valid signature
of a trojaned .tar.gz would require them to *ALSO* compromise the machine
that the signing is done on (hopefully a different machine than ftp.kernel.org).

Yes, an intruder could leave a forged signature with a random key easily. But
to leave a forged signature with the key that's already on my keyring is a
lot harder...
--
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                {*filter*}ia Tech

  application_pgp-signature_part
< 1K Download


 Sun, 17 Jul 2005 20:30:08 GMT   
 kernel.org frontpage

On Wed, 29 Jan 2003 19:14:43 GMT, John Bradford said:

I was arguing that they *should* be on the front page, since they *are*
useful and it *would* lower the number of requests.

--
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                {*filter*}ia Tech

  application_pgp-signature_part
< 1K Download


 Sun, 17 Jul 2005 20:30:10 GMT   
 kernel.org frontpage

I see what you mean, but I don't see how it makes it any less useful
to have them on the front page - if you download the latest kernel
patch from a mirror, you could then just click on the relevant link on
the front page of kernel.org - infact, as http access to kernel.org is
frequently much slower than ftp, it might actually be very useful,
because anybody downloading via http would make two requests, (OK,
about 7, because of the images on the front page), instead of about
13, if they traverse each directory to the .sign file.

John
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 20:30:09 GMT   
 kernel.org frontpage

Or just sign them on the ftp site with the key from someone trusted.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 20:30:11 GMT   
 kernel.org frontpage

No, just download the signature from the mirror and verify it.  This
isn't an MD5 signature.

        -hpa

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 20:40:04 GMT   
 kernel.org frontpage

I am not going to do something that will provide false security to
people.  Case closed; please read the signature FAQ.

        -hpa

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 20:40:07 GMT   
 kernel.org frontpage

I believe a script signs the files on ftp.kernel.org, which means the
private key is on the master machine, probably without a pass phrase.
That means that if the master server is compromised, its highly likely
that a rogue file will have a correct signature.

As hpa says, the GPG signature provides no assurance that Linus put
up patch-2.5.60.bz2 and not some random other person.

The only way to be completely sure is for Linus to gpg-sign the patches
himself at source with a known gpg key using a secure pass phrase before
they leave his machine (preferably before the machine is connected to
the 'net to upload them for the really paranoid.)

--
Russell King (r...@arm.linux.org.uk)                The developer of ARM Linux
             http://www.arm.linux.org.uk/personal/aboutme.html

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 20:40:16 GMT   
 kernel.org frontpage

On Wed, 29 Jan 2003 19:37:50 GMT, Russell King said:

OK.. I missed that part, and thought somebody was doing a check-and-balance
before files went out.

Now there's a thought.. ;)

  application_pgp-signature_part
< 1K Download


 Sun, 17 Jul 2005 21:00:08 GMT   
 kernel.org frontpage

Sorry, I'd deleted the original message, and didn't want to break the
thread :-)

John.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



 Sun, 17 Jul 2005 21:00:11 GMT   
 
   [ 20 post ]  Go to page: [1] [2]

Similar Threads

1. redhat 9 kernel diff from kernel.org kernel?

2. linux-kernel@vger.kernel.org

3. Wow linux-kernel@vger.kernel.org #MW300609L01

4. linux-kernel@vger.kernel.org

5. linux-kernel@vger.kernel.org

6. Problem with 2.4.18 kernel downloaded from kernel.org

7. linux-kernel@vger.kernel.org

8. ALERTE: VIRUS DETECTE DANS UN MESSAGE ENVOYE PAR linux-kernel-owner@vger.kernel.org

9. ftp://ftp.uk.kernel.org/pub/linux/kernel/v2.3/

10. HELP: DNS - *.foo.org OK foo.org BAD


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software