[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PGP Keys

To: Kurt Zeilenga <Kurt@OpenLDAP.org>
Subject: Re: PGP Keys
From: Dominic Hargreaves <dominic.hargreaves@oucs.ox.ac.uk>
Date: Wed, 30 Jul 2008 18:50:23 +0100
Cc: Jorge Medina <jmedina@e-dialog.com>, openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <2EEEF37F-D7C3-439F-96B9-D5D160FBF7D1@OpenLDAP.org>
Organization: Computing Services, University of Oxford
References: <9DD36C99332AB7438F8D73C048D8C62C012B0AB4@sneezy.ad.e-dialog.com> <2EEEF37F-D7C3-439F-96B9-D5D160FBF7D1@OpenLDAP.org>
User-agent: Mutt/1.5.13 (2006-08-11)

On Wed, Jul 30, 2008 at 06:16:20PM +0100, Kurt Zeilenga wrote:
> 
> On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote:
> 
> >Do anybody knows where I could get the PGP keys to verify the  
> >integrity of the source code I downloaded from a mirror?
> 
> PGP is not used to sign releases or release announcements.
> 
> To verify the integrity of a tarball download from ftp.openldap.org or  
> a mirror, you can check it against the SSHA1 and/or MD5 hashes  
> published as part of the announcement for the release (posted to 
> openldap-announce@openldap.org , archived in that list's archives).
> 
> Hash verification is not intended to detect instances where  
> openldap.org hosted services have been hijacked or otherwise seriously  
> compromised.

However only offering the option to verify the hashes using unsigned
emails or non-https publications on a web site is offering up many
more attack vectors.

PGP-signing the hashes would solve this problem and is bog standard
practice in many (most?) projects and I would like to see it offered by
OpenLDAP.

Cheers,
Dominic.

-- 
Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford

References:
- PGP Keys
  - From: "Jorge Medina" <jmedina@e-dialog.com>
- Re: PGP Keys
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

Prev by Date: Re: Clearing the entire ldap directory
Next by Date: Re: Slurpd sync problem
Index(es):
- Chronological
- Thread