Re: cvs commit: apache-site/dist README.html

[Dean Gaudet <dg...@arctic.org>]

On 24 Mar 1998 dgaudet@hyperreal.org wrote:

>    <SAMP>KEYS</SAMP> file after unpacking the
>    distribution.</P>
>    <PRE>e.g.
>   -% pgp &lt; KEYS
>   -% gunzip apache_1.2.5.tar.gz 
>   -% pgp apache_1.2.5.tar.asc  apache_1.2.5.tar
>   +% pgpk -a KEYS
>   +% pgpv apache_1.2.6.tar.gz.asc
>    </PRE>

I dunno, I'm blissfully ignorant of pgp, but it seems quite foolish for us
to suggest that the KEYS file in the distribution is to be trusted.  This
should really be pointing folks at some key server I'd think. 

Dean

Re: cvs commit: apache-site/dist README.html

[Dean Gaudet <dg...@arctic.org>]

On Tue, 24 Mar 1998, Rodent of Unusual Size wrote:

> Or at least from the Web site.  I don't know what these "pgpk" and "pgpv"
> commands are; they're certainly not standard.

They certainly are.  They're pgp 5.0.  Which happens to be what I have
installed.  And since nobody signed it when I asked months ago I had to
sign it myself. 

Dean

Re: cvs commit: apache-site/dist README.html

[Rodent of Unusual Size <Ke...@Golux.Com>]

Dean Gaudet wrote:
> 
> On 24 Mar 1998 dgaudet@hyperreal.org wrote:
> 
> >    <SAMP>KEYS</SAMP> file after unpacking the
> >    distribution.</P>
> >    <PRE>e.g.
> >   -% pgp &lt; KEYS
> >   -% gunzip apache_1.2.5.tar.gz
> >   -% pgp apache_1.2.5.tar.asc  apache_1.2.5.tar
> >   +% pgpk -a KEYS
> >   +% pgpv apache_1.2.6.tar.gz.asc
> >    </PRE>
> 
> I dunno, I'm blissfully ignorant of pgp, but it seems quite foolish for us
> to suggest that the KEYS file in the distribution is to be trusted.  This
> should really be pointing folks at some key server I'd think.

Or at least from the Web site.  I don't know what these "pgpk" and "pgpv"
commands are; they're certainly not standard.

#ken	P-)}

Ken Coar                    <http://Web.Golux.Com/coar/>
Apache Group member         <http://www.apache.org/>
"Apache Server for Dummies" <http://WWW.Dummies.Com/

Re: cvs commit: apache-site/dist README.html

[Ben Laurie <be...@algroup.co.uk>]

Dean Gaudet wrote:
> 
> On 24 Mar 1998 dgaudet@hyperreal.org wrote:
> 
> >    <SAMP>KEYS</SAMP> file after unpacking the
> >    distribution.</P>
> >    <PRE>e.g.
> >   -% pgp &lt; KEYS
> >   -% gunzip apache_1.2.5.tar.gz
> >   -% pgp apache_1.2.5.tar.asc  apache_1.2.5.tar
> >   +% pgpk -a KEYS
> >   +% pgpv apache_1.2.6.tar.gz.asc
> >    </PRE>
> 
> I dunno, I'm blissfully ignorant of pgp, but it seems quite foolish for us
> to suggest that the KEYS file in the distribution is to be trusted.  This
> should really be pointing folks at some key server I'd think.

It should be explicitly stated that KEYS from the distribution is _not_
to be trusted. However, a KEYS file from an old distribution may be
trustworthy - particularly if you can independently verify the
distribution.

Getting them from a keyserver is another way to increase your level of
trust.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|  Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author    http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache