Re: verifying PGP signed package-index files

Thursday, 29 November 2001

        ...
>>>> "SY" == Steve Youngs
<youngs(a)xemacs.org&gt; writes: 
    SY> Another thing that concerns me is that if I apply the patch to
    SY> fix the PGP stuff and then start signing the package-index
    SY> files it'll bugger up any XEmacsen that is pre-PGP-patch.

Why is that?  Oh, because the current code looks for the signature,
and if it's not there, asks if it's OK---but if it were there but
wrong, it would barf?

What you could do is change the name of the signature, that way only
patched XEmacsen would know that the signature exists.  Put in an
option not to use it.

As for why have it, I think paranoia is a good thing.  I thought it
was totally historical when the chair of the Information Science
graduate program here SirCam'ed us on an internal mailing list.  But
free software has vulnerabilities too, and if people want to be
careful we should provide them with the facilities.

-- 
Institute of Policy and Planning Sciences     http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
              Don't ask how you can "do" free software business;
              ask what your business can "do for" free software.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

Re: verifying PGP signed package-index files