GNU bug report logs - #20788
24.4; Nicolas Petton's key not included in GNU keyring

Previous Next

Package: emacs;

Reported by: William G. Gardella <wgg2 <at> member.fsf.org>

Date: Thu, 11 Jun 2015 21:12:02 UTC

Severity: normal

Tags: fixed

Merged with 20298

Found in version 24.4

Done: npostavs <at> users.sourceforge.net

Bug is archived. No further changes may be made.

Full log

Message #16 received at 20788 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: William G. Gardella <wgg2 <at> member.fsf.org>
Cc: 20788 <at> debbugs.gnu.org
Subject: Re: bug#20788: 24.4; Nicolas Petton's key not included in GNU keyring
Date: Thu, 11 Jun 2015 18:10:19 -0400

William G. Gardella wrote:

> I disagree that it's of no value; anybody can upload any key to any
> keyserver, but the GNU keyring can be obtained from an HTTPS server with
> a certificate signed by Gandi according to their policies, which,
> while not great, are at least better than the nonexistent verification
> provided by a keyserver.

I still don't get it:

If someone puts a bogus key on a keyserver, it will presumably fail to
verify the ftp.gnu.org tarfile.

And if someone can put a bogus Emacs tarball on ftp.gnu.org, they could
just as well put a bogus keyring file there too. So it doesn't seem to
be of any more value than a sha1sum.

> I will send the report to sysadmin, as apparently no action has been
> taken since late April, when Nicolas's key was supposedly uploaded.

Thanks. Again:

http://debbugs.gnu.org/20298#38
    
    [...] please ask them to review the whole system, not just add [one] key.
    Eg mine doesn't seem to be there either, which implies the system
    has been busted for years. I assume the file is supposed to be an
    automatically generated list of everyone who can upload to
    ftp.gnu.org.
This bug report was last modified 8 years and 288 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.