On Wed, 29 Jan 2003 19:37:50 GMT, Russell King said:
> I believe a script signs the files on ftp.kernel.org, which means the
> private key is on the master machine, probably without a pass phrase.
> That means that if the master server is compromised, its highly likely
> that a rogue file will have a correct signature.
OK.. I missed that part, and thought somebody was doing a check-and-balance
before files went out.
> The only way to be completely sure is for Linus to gpg-sign the patches
> himself at source with a known gpg key using a secure pass phrase before
Now there's a thought.. ;)
This archive was generated by hypermail 2b29 : Fri Jan 31 2003 - 22:00:23 EST