[WineHQ] service.cgi fixes

Chris Morgan cmorgan at alum.wpi.edu
Fri Jun 11 09:28:34 CDT 2004


We don't have a good way of distributing and managing the gpg keys, there is 
no script control over that part of winrash.  If there was an automated and 
secure way of keeping the trusted signatures up to date I wouldn't mind 
turning it back on.  It just has to be something that can be maintained 
without manual intervention with gpg.  I'm also not really sure how the whole 
gpg signature thing works.  Right now we bundle a config file for gpg that 
trusts your signature.  Can we have that managed by the service so it happens 
automatically or does that implicitly violate the trust as we are getting the 
signature from the service initially?

Chris



On Friday 11 June 2004 9:49 am, Paul Millar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Dimi,
>
> Why remove the verification of the code's gpg signature?  It seems to
> break a basic security maxim: don't trust the network.
>
> On Thursday 10 June 2004 22:48, Dimitrie O. Paun wrote:
> > ChangeLog
> >     Do not include irrelevant stuff in the _history.
> >     Do not instruct the client to verify the .sig,
> >     it's a b0rken idea anyway.
>
> - --
> Paul Millar
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFAybhq/9JwS78PA+kRAuv/AJ9Ulntb1MLGn+2gp8r/qpy6VqJDVACePwVB
> VXxAHr9gaBuMhIJ7P81ahMA=
> =0tkh
> -----END PGP SIGNATURE-----



More information about the wine-devel mailing list