Why aren't GPG sigs linked on the front page of kernel.org?
Linux - KernelThis forum is for all discussion relating to the Linux kernel.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Why aren't GPG sigs linked on the front page of kernel.org?
Title says it all. You can download full source, patches, changelogs, whatever for multiple versions directly from the front page of kernel.org. However, if you want to the GPG sig of the source, you have to click down into the archives. I assume there must be a sound reason for this, but for the life of me I cannot figure out what it is.
Not linking the signing key[s] I understand, but why not the sig?
@quiescere: The folks you were/are communicating with are likely overworked and absurdly busy.
I agree that it sounds like their reply didn't address your question. And your point is a good one: pubkeys (to verify signatures) should probably be more prominently displayed and more easily discovered.
You might reply again to the thread you've already started with them. Use clear, succinct English, and request an actionable item.
Good luck pursuing it further.
-------
Edited to add: the keys are actually linked to on the front page. But they're way, way below the fold. You have to scroll down to see them. See attached PNG for a screenshot.
Edited to add: the keys are actually linked to on the front page. But they're way, way below the fold. You have to scroll down to see them. See attached PNG for a screenshot.
anomie, I sincerely appreciate the attention you've given my question, but this is still not quite what I am asking. I'm not as concerned about the public keys, which only need to be retrieved once. It's the signature files that must be downloaded with each new kernel version that interest me.
Ah, gotcha. The signed MD5 / SHA1 / whatever digests of the kernel. Yes, that's just as important as the keys themselves if you wish to verify the kernel you're downloading hasn't been tampered with.
Ah, gotcha. The signed MD5 / SHA1 / whatever digests of the kernel. Yes, that's just as important as the keys themselves if you wish to verify the kernel you're downloading hasn't been tampered with.
Yes, especially important since kernel.org got hacked a while back.
I also would like to know more about the hack, but no info was released on it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
