gnu-arch-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] Re: (fairly minor) SECURITY ISSUE

From: Robert Collins
Subject: Re: [Gnu-arch-users] Re: (fairly minor) SECURITY ISSUE
Date: Sat, 24 Jan 2004 23:52:54 +1100 
On Sat, 2004-01-24 at 23:22, Johannes Berg wrote:
> On Sat, 2004-01-24 at 13:26, Robert Collins wrote:
> > As has been pointed out several times: getting the data -from- gpg is
> > the Right Way. So, whos up to make a patch? I don't have time now, and
> > won't for some time to do this, but we should have this in for 1.2, as
> > it will change the check scripts.
> 
> I'll have a stab at it, but if I don't report success today then
> consider the attempt failed, because I won't have time during the week.

Cool. A quick sketch of the approach...
1) alter your check script to output the content and fail if the
signature isn't valid.
2) alter arch to (for signed archives only) get the checksum file
content from the check script's stdout, instead of from the checksum
file itself.

That should be all you need to do.

Rob

-- 
GPG key available at: <http://www.robertcollins.net/keys.txt>.

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to
[Prev in Thread] Current Thread [Next in Thread]