On Wed, Jul 30, 2008 at 06:16:20PM +0100, Kurt Zeilenga wrote: > > On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote: > > >Do anybody knows where I could get the PGP keys to verify the > >integrity of the source code I downloaded from a mirror? > > PGP is not used to sign releases or release announcements. > > To verify the integrity of a tarball download from ftp.openldap.org or > a mirror, you can check it against the SSHA1 and/or MD5 hashes > published as part of the announcement for the release (posted to > [EMAIL PROTECTED] , archived in that list's archives). > > Hash verification is not intended to detect instances where > openldap.org hosted services have been hijacked or otherwise seriously > compromised.
However only offering the option to verify the hashes using unsigned emails or non-https publications on a web site is offering up many more attack vectors. PGP-signing the hashes would solve this problem and is bog standard practice in many (most?) projects and I would like to see it offered by OpenLDAP. Cheers, Dominic. -- Dominic Hargreaves, Systems Development and Support Team Computing Services, University of Oxford
