mercredi 29 juin, vers 8h, Sylvain Beucler écrivit : > On Tue, Jun 28, 2005 at 07:06:51PM +0200, Mathieu Roy wrote: > > > > To improve security, there will be automated verification of GPG > > signed files contained in projects download areas soon. > > > > Projects will not be forced to sign their files, indeed, but > > encouraged to do so. Signed files that could not be verified will > > be moved in subdirectories named /maybe-corrupted. > > > > This automated check is not in production yet since it appears > > that several projects have GPG signed files that cannot be > > verified because their project members have not registered their > > GPG key through Savane yet. > > > > Automated checks will be activated next week so it is important > > that projects members register their GPG keys at > > https://gna.org/account/change.php?item=gpgkey > > > > If you want to know more about this issue, check the FAQ. > > > > > > > > The verification failed for the following files: > > ------------------------------------------------------- > > I think we'll get a lot more of this, say, within a year or two, > when several GPG keys will expire. Usually people do not re-sign old > downloads when they renew their keys :/
Indeed that could cause a problem. But the md5 of files succesfully verified are cached (to avoid checking several times the same, unchanged, files). So unless someone erase the cache, there will be no problem. Currently, the script that checks the download area is quite basic. But at later point, we could make it distinguish GPG errors and behaving accordingly. Regards, -- Mathieu Roy +---------------------------------------------------------------------+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +---------------------------------------------------------------------+
