[Gta04-owner] [Tinkerphones] Towards QtMoko2: building QtMoko from sources

Jonas Smedegaard jonas at jones.dk
Sun Jun 4 10:17:12 CEST 2017


Quoting Roland Häder (2017-06-03 22:12:23)
> Do not bypass secrurity! Better is to get it properly signed.

Yes, establishing a trust path (which includes offering signed package 
release files but also other parts) are better than not doing so.

Maintained packages are even better - e.g. collectively by Debian.


> You should then provide the GPG public key (obviously) on your website 
> so people can use it for verification the apt-key-common way:
> 
> gpg --keyserver pgpkeys.mit.edu --recv-key  xxxxxx
> gpg -a --export xxxxxx | sudo apt-key add -

Above verifies only that the signing key exist on that public keyserver 
- it does not establish a trust path and is therefore not (on its own) 
trustworthy.

Please read http://deb.jones.dk/ and tell me which parts of that is 
flawed or superfluous or wrong in other ways.


> by xxxxxx is the long key id (don't encourage, short keys, they are 
> flawed as malicous people can theoretical craft a pgp key that has the 
> same (!) short key, like it already happened with Linus Torwalds' key.

Yes, do that and also a range of other best practices: 
https://help.riseup.net/en/security/message-security/openpgp/best-practices


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://lists.goldelico.com/pipermail/gta04-owner/attachments/20170604/a799e73d/attachment.asc>


More information about the Gta04-owner mailing list