Results 1 to 4 of 4

Thread: Ubuntu Security Notices and PGP signing

  1. #1
    Join Date
    Dec 2004
    Location
    EU - Belgium
    Beans
    1,625

    Ubuntu Security Notices and PGP signing

    I received an USN yesterday that did not come from Martin as most do.

    It came from Kees Cook and it was PGP signed (which is commendable).

    Yet, I did not have his key in my keyring, so I fetched it from a keyserver (no big deal here). But after that, there came the trust issue.

    It was not signed with any trusted signature (not even Martin's). I checked out the signatures, and there seems no central canonical signature in it.

    So I think it would be good to have a key-signing key that signs the keys for the people that send out USN's so we know they really do belong to canonical/Ubuntu (not that I have doubts in this case, but it should be obvious).

    What do you guys think about this?
    Linux user #249404 - September 1997
    http://nocturn.vsbnet.be - RSS

    Before executing any commands, make sure you kow what they mean, read this first!

  2. #2
    Join Date
    Dec 2004
    Location
    EU - Belgium
    Beans
    1,625

    Re: Ubuntu Security Notices and PGP signing

    bump, no opinions on this?
    Linux user #249404 - September 1997
    http://nocturn.vsbnet.be - RSS

    Before executing any commands, make sure you kow what they mean, read this first!

  3. #3
    Join Date
    Aug 2005
    Beans
    Hidden!

    Re: Ubuntu Security Notices and PGP signing

    Sound fair,and right to me.

    One question who would be in charge of the key-signing key. I don't think you would just anyone having that kind of power. not that there should be any trust issues,however.you never know.

    Just my thoughts
    Advantages and Disadvantages of 64bit.(Plus install Guides)

    ‘In search of some small measure of peace, that we all seek, and few of us ever find.’

  4. #4
    Join Date
    Dec 2004
    Location
    EU - Belgium
    Beans
    1,625

    Re: Ubuntu Security Notices and PGP signing

    Quote Originally Posted by SD-Plissken View Post
    Sound fair,and right to me.

    One question who would be in charge of the key-signing key. I don't think you would just anyone having that kind of power. not that there should be any trust issues,however.you never know.

    Just my thoughts
    It should be someone inside Ubuntu/Canonical and a special key-signing-key should be used.

    Secondly, the security key should be signed by the others (Martin etc) to give it a trace.

    These kinds of things are quite difficult, but without the web of trust, a PGP signing key is useless. This is currently the case for the key used on that USN, I cannot verify any path back to canonical/Ubuntu.
    Linux user #249404 - September 1997
    http://nocturn.vsbnet.be - RSS

    Before executing any commands, make sure you kow what they mean, read this first!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •