[Letux-kernel] [Tinkerphones] [Gta04-owner] Towards QtMoko2: building QtMoko from sources
jonas at jones.dk
Sun Jun 4 10:17:12 CEST 2017
Quoting Roland Häder (2017-06-03 22:12:23)
> Do not bypass secrurity! Better is to get it properly signed.
Yes, establishing a trust path (which includes offering signed package
release files but also other parts) are better than not doing so.
Maintained packages are even better - e.g. collectively by Debian.
> You should then provide the GPG public key (obviously) on your website
> so people can use it for verification the apt-key-common way:
> gpg --keyserver pgpkeys.mit.edu --recv-key xxxxxx
> gpg -a --export xxxxxx | sudo apt-key add -
Above verifies only that the signing key exist on that public keyserver
- it does not establish a trust path and is therefore not (on its own)
Please read http://deb.jones.dk/ and tell me which parts of that is
flawed or superfluous or wrong in other ways.
> by xxxxxx is the long key id (don't encourage, short keys, they are
> flawed as malicous people can theoretical craft a pgp key that has the
> same (!) short key, like it already happened with Linus Torwalds' key.
Yes, do that and also a range of other best practices:
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
More information about the Letux-kernel