>Number: 1283 >Category: documentation >Synopsis: PGP Public Keys not publically registered >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: doc-bug >Submitter-Id: apache >Arrival-Date: Mon Oct 20 16:20:00 PDT 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3b2 (all?) >Environment: n/a (all) >Description: For the suitably paranoid, it's a bad thing (tm) that current distribution of the Apache source does not have a publically available PGP Public Key that is associated with it (ie. looking up key A0BB71C1 fails on any public key server).
The point of this is that, if we're really worried about source tampering on the Apache FTP site it is conceivable that the keyfiles and signatures out there are also prone to the same problem - put simply, if the source file on one machine is tampered with on a given machine it's pretty reasonable to assume that the keyfile/sigs will also be modified (ie. tampered with) therefore nullifying the usefullness of the information they are designed to protect. >How-To-Repeat: Try looking up the keys on a Public Key Server (http://pgp.mit.edu/) >Fix: Register the keys officially (see http://pgp.mit.edu/) >Audit-Trail: >Unformatted:
