SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
for slackbuilds.org's official http repository, each slackbuilds is extracted before building from a .tar.gz signed with pgp (the .asc files, like /var/lib/sbopkg/SBo/13.37/libraries/libvpx.tar.gz.asc).
in case of a git repository, everything is signed and hashed in the repository itself (by design), so there's no need to verify manually with pgp.
in case of a git repository, everything is signed and hashed in the repository itself (by design), so there's no need to verify manually with pgp.
I'm not familiar with git, but a quick google seems to suggest that signing tags is optional.
However, even if it wasn't optional, the actual download of the "prebuilt package" at http://www.sbopkg.org/downloads.php comes straight over http, with git not involved. So without an accompanying signature how can I know that I've downloaded the authentic package which has come out of a secure(?) git repository?
What am I missing?!
Ah, I've found sha1 checksums if I download from this page http://code.google.com/p/sbopkg/downloads/list, which thinking about it doesn't add much in terms of verifying package authenticity, because I can't tell whether the hash value itself is authentic. Doh!
I'm not familiar with git, but a quick google seems to suggest that signing tags is optional.
every commit is signed.
sorry, I had understood you were referring at the repositories sbopkg uses, not at sbopkg itself.
Just two considerations:
- the upload is by slakmagik, I can read his name, he logged in and Google guarantees that's he is himself;
- I think the sha1 hash value is calculated by googlecode.
Interesting. I'll have to take a closer look at git (especially given its increasing popularity; I mostly use bazaar).
Quote:
sorry, I had understood you were referring at the repositories sbopkg uses, not at sbopkg itself.
Just two considerations:
- the upload is by slakmagik, I can read his name, he logged in and Google guarantees that's he is himself;
- I think the sha1 hash value is calculated by googlecode.
OK. yes, that is some assurance.
I guess my point is that from the web interface everything looks ok, but really I could be being served with anything, from anywhere, and without a key or hash from some ultimately trusted source I can't tell.
Still, not a completely unusual state of affairs (I suppose I'd expected signatures on something that plays such a critical role in the system, especially since sbopkg expects signatures on the sbo downloads).
I guess my point is that from the web interface everything looks ok, but really I could be being served with anything, from anywhere, and without a key or hash from some ultimately trusted source I can't tell.
And how would you tell that the person signing it is trustworthy?
And how would you tell that the person signing it is trustworthy?
Chain of trust etc.. fair enough.
But surely a suspect key is easier to detect than a suspect file?
After all, (i) if a key has been used over a period of time then a different key would be detected by the community.
And (ii) keys can be published in multiple places, which makes it harder to publish a fake key than to publish, for example, a single fake download.
And once I've decided to trust a key, then by implication I can trust future files signed with the same key, rather than examine each file anew.
What approach do you take?
Quote:
I, personally, see it like this: if the sbopkg devs think the tarball is ok, I simply trust them and that's enough.
I trust the devs alright, just concerned about whether the tarball they produced is the same thing I download..
Quote:
being an user of sbopkg since some years, it actually saved a lot of my time: now I just can't think of a world without it and slackbuilds.org.
I can see the value alright
I just take a cautious approach to what I install.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.