Bob Perry wrote:

Kris Kennaway wrote:

On Wed, Mar 17, 2004 at 01:13:47AM -0500, Bob Perry wrote:

I installed gnupg-1.2.4_1, The GNU Privacy Guard, & read over the README
and HOWTOs. Ran into a problem re "...unsafe ownership of the main
configuration file...." Searched the mailing list archives with little luck
but, more importantly, the users' mailing list was unavailable.

Well, what is the ownership?  gnupg probably expects it to be owned by
the user and not to be world- or group- writable, and maybe not to be
readable either.  i.e. the permissions on the file should be secure.

My objective was to just install a security patch. Is the file verification
step really necessary?

That all depends on whether or not you have a trojaned copy of the
security patch :-)



I'm at the stage now, where I need to validate and certify the Security Officer's PGP key before I can verify the signature. Documentation suggests "...comparing
the key during a phone call." Later, there is the reality that "If you don't know the
owner of the public key you are really in trouble."

Is there some recommended course to follow when it comes to handling these
FreeBSD security patches?



PGP keys for all the FreeBSD officers are available in
an appendix D of the FreeBSD handbook.  If your local
copy is old, you could check the online version at


Kevin Kinsey
DaleCo, S.P.
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to