[Gta04-owner] [Tinkerphones] Towards QtMoko2: building QtMoko from sources
Jonas Smedegaard
jonas at jones.dk
Sun Jun 4 10:17:12 CEST 2017
Quoting Roland Häder (2017-06-03 22:12:23)
> Do not bypass secrurity! Better is to get it properly signed.
Yes, establishing a trust path (which includes offering signed package
release files but also other parts) are better than not doing so.
Maintained packages are even better - e.g. collectively by Debian.
> You should then provide the GPG public key (obviously) on your website
> so people can use it for verification the apt-key-common way:
>
> gpg --keyserver pgpkeys.mit.edu --recv-key xxxxxx
> gpg -a --export xxxxxx | sudo apt-key add -
Above verifies only that the signing key exist on that public keyserver
- it does not establish a trust path and is therefore not (on its own)
trustworthy.
Please read http://deb.jones.dk/ and tell me which parts of that is
flawed or superfluous or wrong in other ways.
> by xxxxxx is the long key id (don't encourage, short keys, they are
> flawed as malicous people can theoretical craft a pgp key that has the
> same (!) short key, like it already happened with Linus Torwalds' key.
Yes, do that and also a range of other best practices:
https://help.riseup.net/en/security/message-security/openpgp/best-practices
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://lists.goldelico.com/pipermail/gta04-owner/attachments/20170604/a799e73d/attachment.asc>
More information about the Gta04-owner
mailing list