On 2-Jan-09, at 2:41 AM, gordy wrote:
Hi mailing list Happy 2009 and thanks for a new version, I have been on cvs 1.3.31) I have always struggled with gpg...so first the forest....I can install rkh ok....its just I have trouble getting gpg to work.
I'm no gpg guru either - this is an interesting thread. Verifying the integrity of the file is easy - justwget http://superb-east.dl.sourceforge.net/sourceforge/rkhunter/ rkhunter-1.3.4.tar.gz.asc wget http://superb-east.dl.sourceforge.net/sourceforge/rkhunter/ rkhunter-1.3.4.tar.gz
gpg --verify rkhunter-1.3.4.tar.gz.ascand gpg automagically downloaded the appropriate key for me and verified the file.
What I don't have a good handle on is how we verify that key back to John Horne and unspawn et al. The key is not on the website and even if it was I'm unsure how to tie that back to the software projects leaders.
Obviously I've got no reason to think the code is malicious, and I can study it myself to see what it's doing, but if I've chosen to trust John Horne and unspawn by running their code, then it would be nice to tie the code back to them, or at least the project. Or am I thinking about this wrong?
Brian
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------------
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
