Quoting Roland Häder (2017-06-03 22:12:23) > Do not bypass secrurity! Better is to get it properly signed.
Yes, establishing a trust path (which includes offering signed package release files but also other parts) are better than not doing so. Maintained packages are even better - e.g. collectively by Debian. > You should then provide the GPG public key (obviously) on your website > so people can use it for verification the apt-key-common way: > > gpg --keyserver pgpkeys.mit.edu --recv-key xxxxxx > gpg -a --export xxxxxx | sudo apt-key add - Above verifies only that the signing key exist on that public keyserver - it does not establish a trust path and is therefore not (on its own) trustworthy. Please read http://deb.jones.dk/ and tell me which parts of that is flawed or superfluous or wrong in other ways. > by xxxxxx is the long key id (don't encourage, short keys, they are > flawed as malicous people can theoretical craft a pgp key that has the > same (!) short key, like it already happened with Linus Torwalds' key. Yes, do that and also a range of other best practices: https://help.riseup.net/en/security/message-security/openpgp/best-practices - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
_______________________________________________ Community mailing list [email protected] http://lists.goldelico.com/mailman/listinfo.cgi/community http://www.tinkerphones.org
