[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Need better release validation documentation/strategy.

From: Bob Friesenhahn
Subject: Re: Need better release validation documentation/strategy.
Date: Sat, 9 Apr 2022 09:36:22 -0500 (CDT)
User-agent: Alpine 2.20 (GSO 67 2015-01-07)

On Fri, 8 Apr 2022, ckeader wrote:

The key server network as we knew it is dead and buried, and I would not
expect any of them to provide complete or indeed reliable information.
This article explains why:
There was some discussion at the time over on gnupg-users also.

This was facinating reading, and I was not aware of any of it before. Unfortunately, I have not figured out how to follow its advice yet.

Everything related to OpenPGP is extremely obtuse with massive amounts of documentation.

OpenSSH 8 and later offer a facility which allows validating a file's origin and integrity given a certificate (see I gave this a try and it was remarkably simple. It is several orders of magnitude less complex than OpenPGP and many people use OpenSSH. Unfortunately, not all systems have OpenSSH 8 yet (or will ever have OpenSSH). Another issue is that users could be confused by ".sig" files and won't know if they should use OpenSSH or gpg to validate with them without looking at the content.

Providing the signer's pub keys on a (secured) web site seems to be the
best option for now.

I have been using several mechanisms, including an insecure URL link as is shown in my email signature text.

An important question has not been asked yet, IMHO - why are maintainers
using this relatively obscure method for hashing?

Yes, this is very obscure and it defeats the purpose, which should be to encourage verification.

Bob Friesenhahn,
GraphicsMagick Maintainer,
Public Key,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]