You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@hyperreal.org> on 1998/07/23 19:04:54 UTC
Fwd: 1.3.1 missing pgp signature
Could someone get off their duff and sign the apache 1.3.1 releases? Don't
make me learn PGP with all its inter-version incompatibilities. :)
Brian
>Delivered-To: brian@hyperreal.org
>Delivered-To: webmaster@apache.org
>Date: Thu, 23 Jul 1998 21:25:41 +1000 (EST)
>From: David J N Begley <da...@avarice.nepean.uws.edu.au>
>Reply-To: David J N Begley <d....@nepean.uws.edu.au>
>To: webmaster@apache.org
>Subject: 1.3.1 missing pgp signature
>X-No-Archive: Yes
>X-Rememberance: Mother Teresa (1910-1997)
>
>The Apache 1.3.1 release is missing a PGP signature (.asc) - cheers...
>
>
>David J. N. Begley <d....@nepean.uws.edu.au>
>Network Analyst, Communications Unit
>University of Western Sydney, Nepean
>Australia
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Common sense is the collection of prejudices | brian@apache.org
acquired by the age of eighteen." - Einstein | brian@hyperreal.org
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rasmus Lerdorf <ra...@lerdorf.on.ca>.
> > Look at it this way: If someone tried to write an Apache module, and it
> > kept blowing up, and they really wanted to do it, and they couldn't
> > get it to work after a day's effort, and spent a lot of time trying to
> > get it right, do you think it would be appropriate for them to
> > categorically state that 'Apache sucks' as a result? *That's* the
> > sort of point I was trying to make -- gently, in a friendly
> > way, and not adversarily at all. That's why I included the smiley.
>
> I don't think the expected complexity of the two projects are similar. If
> you compare settup up pgp with setting up apache you're at least comparing
> similar projects. Building a module is an entirely different story. And
> yes they'd be right to say "Apache's API documentation sucks", and I
> wouldn't disagree (I think we all agree on this one).
Yup. Unless another module already exists which does many of the same
things a new module writer wants to do, it is not easy for them to get
started. You pretty much have to hang around this list asking stupid
questions for years before you can get a decently working complex module
to not blow up.
-Rasmus
Re: Fwd: 1.3.1 missing pgp signature
Posted by Dean Gaudet <dg...@arctic.org>.
On Mon, 27 Jul 1998, Rodent of Unusual Size wrote:
> Look at it this way: If someone tried to write an Apache module, and it
> kept blowing up, and they really wanted to do it, and they couldn't
> get it to work after a day's effort, and spent a lot of time trying to
> get it right, do you think it would be appropriate for them to
> categorically state that 'Apache sucks' as a result? *That's* the
> sort of point I was trying to make -- gently, in a friendly
> way, and not adversarily at all. That's why I included the smiley.
I don't think the expected complexity of the two projects are similar. If
you compare settup up pgp with setting up apache you're at least comparing
similar projects. Building a module is an entirely different story. And
yes they'd be right to say "Apache's API documentation sucks", and I
wouldn't disagree (I think we all agree on this one).
Dean
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Dean Gaudet wrote:
>
> On Sat, 25 Jul 1998, Rodent of Unusual Size wrote:
>
> > Dean Gaudet wrote:
> > >
> > > I disagree. Last time I signed a release we got a few dozen emails
> > > indicating I'd done it wrong. Apparently I wasn't supposed to use the
> > > most recent pgp 5, or some crap like that. Excuse me, but pgp sucks.
> >
> > Excuse me, but your inclination to give inadequate effort to things
> > in which you're not interested, and saying that they therefore suck,
> > sucks. :-)
>
> Fuck off. I spent a lot of time trying to get this right, and the fucking
> FAQ didn't exist when I tried to get all this stuff set up. And I was
> interested in setting it up, I was actually interested in signing every
> one of my messages.
Gee, doesn't *anyone* pay attention to smileys anymore?
Look at it this way: If someone tried to write an Apache module, and it
kept blowing up, and they really wanted to do it, and they couldn't
get it to work after a day's effort, and spent a lot of time trying to
get it right, do you think it would be appropriate for them to
categorically state that 'Apache sucks' as a result? *That's* the
sort of point I was trying to make -- gently, in a friendly
way, and not adversarily at all. That's why I included the smiley.
It didn't sound like you were motivated to succeed; I assumed that,
I was wrong, and I apologise and retract the remark. All right?
> It was discussed, but nobody could point me at a short list of install
> steps. Now I've got pgp 5.x installed and I'm being told that's wrong.
> I'm sorry, this is a waste of time.
All right, for you it's a waste of time. I've no problem nor issue
with that. But other people's opinions of whether it's a waste of
*their* time may differ.
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://WWW.Dummies.Com/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Dean Gaudet <dg...@arctic.org>.
On Sat, 25 Jul 1998, Rodent of Unusual Size wrote:
> Dean Gaudet wrote:
> >
> > I disagree. Last time I signed a release we got a few dozen emails
> > indicating I'd done it wrong. Apparently I wasn't supposed to use the
> > most recent pgp 5, or some crap like that. Excuse me, but pgp sucks.
>
> Excuse me, but your inclination to give inadequate effort to things
> in which you're not interested, and saying that they therefore suck,
> sucks. :-)
Fuck off. I spent a lot of time trying to get this right, and the fucking
FAQ didn't exist when I tried to get all this stuff set up. And I was
interested in setting it up, I was actually interested in signing every
one of my messages.
> All the stuff about the different version interoperability issues was
> discussed on this list long ago. Yes, it's nothing short of a massive
> PITA; as far as I'm aware, blame RSA for that - it wasn't PGP's idea.
It was discussed, but nobody could point me at a short list of install
steps. Now I've got pgp 5.x installed and I'm being told that's wrong.
I'm sorry, this is a waste of time.
Dean
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Dean Gaudet wrote:
>
> I disagree. Last time I signed a release we got a few dozen emails
> indicating I'd done it wrong. Apparently I wasn't supposed to use the
> most recent pgp 5, or some crap like that. Excuse me, but pgp sucks.
Excuse me, but your inclination to give inadequate effort to things
in which you're not interested, and saying that they therefore suck,
sucks. :-)
All the stuff about the different version interoperability issues was
discussed on this list long ago. Yes, it's nothing short of a massive
PITA; as far as I'm aware, blame RSA for that - it wasn't PGP's idea.
Like the U.S.' attitude on encryption, it's rubbish - but you
have to live with it if you want to use the stuff under circumstances
in which the rubbish obtains.
> The key servers seem to change
> address every couple of months, and there's no damn FAQ that says "here
> are the 12 steps to working well with the rest of the world".
The issue of the key servers has nothing to do with the value and
viability of PGP, and doesn't really relate to the tarball signing
issue anyway. And someone has already pointed you to a FAQ.
> I wasted, and I do mean waste, a day trying to figure it out. And I
> couldn't. I still can't interoperate with eudora's pgp plugin. I still
> don't know if my key is in the right key servers. I don't know if my pine
> pgp plugin is doing the right thing... the list goes on.
And none of those have anything to do with signing a release tarball,
so are red herrings.
I guess the bottom line here is, 'don't ask Dean to do any releases or
sign any tarballs or touch PGP with a ten-nanosecond pole,' right? :-)
Just wait 'til PGP is written in C++! :-D
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>
Re: Fwd: 1.3.1 missing pgp signature
Posted by Ben Laurie <be...@algroup.co.uk>.
Brian Behlendorf wrote:
>
> You know, I was going to comment on this thread, because I found Ben's and
> Ken's messages both rather appalling and in error, but it's just not worth
> that much of my ever decreasing amount of time for intellectual sparring.
Oh come on. If you are going to find my messages appalling you could at
least say why.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Brian Behlendorf wrote:
>
> You know, I was going to comment on this thread, because I found Ben's and
> Ken's messages both rather appalling and in error, but it's just not worth
> that much of my ever decreasing amount of time for intellectual sparring.
Didn't you notice the smileys? I put them in there for a reason..
> Those who care about the PGP signatures so strongly should just sign the
> distributions, end of story.
Not if it puts a significant amount of work on people who were too busy
to roll the tarball in the first place.
I guess David's right - we need to come to a conclusion (if we haven't
yet) whether we should sign the releases or not. And then be consistent
about applying that decision. Personally, I think they should be signed,
and by the person who builds the tarball - but if the majority feel
otherwise I won't protest.
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://WWW.Dummies.Com/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Brian Behlendorf <br...@hyperreal.org>.
You know, I was going to comment on this thread, because I found Ben's and
Ken's messages both rather appalling and in error, but it's just not worth
that much of my ever decreasing amount of time for intellectual sparring.
Those who care about the PGP signatures so strongly should just sign the
distributions, end of story.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Common sense is the collection of prejudices | brian@apache.org
acquired by the age of eighteen." - Einstein | brian@hyperreal.org
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Ben Laurie wrote:
>
> I still maintain that verifying the binary is considerably harder than
> signing it.
Absolutely. Whomever constructs a release tarball should sign it;
no-one unwilling or unable to sign it should construct one.
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Dean Gaudet wrote:
>
> On Sat, 25 Jul 1998, Ben Laurie wrote:
>
> > We don't need them, and they are fairly valueless when it comes to
> > trust anwyay. Eudora and pine plugins? Fascinating, but irrelevant.
>
> I think it's stupid not to sign the outgoing announcement.
Ah, good point.
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://WWW.Dummies.Com/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Ben Laurie <be...@algroup.co.uk>.
Dean Gaudet wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 27 Jul 1998, Ben Laurie wrote:
>
> > OK, I can see that. If you really want to get PGP sorted out, I'd be
> > more than willing to help. I can't see that PGP 5 is a problem (yeah,
> > people with 2.x can't interoperate but they can upgrade like the rest of
> > us), though if you can be bothered generating a key with 2.x then
> > switching to 5 seems like the way to go these days.
>
> I actually did generate my first key using 2.x, and then upgraded to 5. I
> think my confusion can be summarized as:
>
> I am not at all sure where or how to register my keys. Consider that I
> will send apache email as dgaudet@apache.org, not @arctic.org ... and I
> believe this is an extra step in creating/registering the key.
Err, I don't think so. You just create the key, add the email addresses
and register it.
I register my keys at pgpkeys.mit.edu port 11371, but I use the Windoze
version to do it, so I can't help (instantly) with the Unix version.
> Here are
> the keys I have right now:
>
> % pgpk -l dgaudet
> Type Bits KeyID Created Expires Algorithm Use
> sec+ 1023 0x163751F5 1997-08-18 ---------- RSA Sign & Encrypt
> uid Dean Gaudet <dg...@arctic.org>
> uid Dean Gaudet <dg...@arctic.org>
> uid Dean Gaudet <dg...@apache.org>
>
> sec+ 1024 0xF08E012A 1998-02-19 ---------- DSS Sign & Encrypt
> sub 2048 0xD8F8125A 1998-02-19 ---------- Diffie-Hellman
> uid Dean Gaudet <dg...@arctic.org>
> uid Dean Gaudet <dg...@arctic.org>
> uid Dean Gaudet <dg...@apache.org>
>
> 0x163751F5 is the old key I generated with 2.6.x. The other is a newer
> key. I've put them into some servers, but I've no idea if I've put them
> into the servers people expect.
I believe they all talk to each other.
> My keys don't have any trust -- because I don't attend many conferences,
> and am totally confused about what I need to do to get other folks to sign
> my keys (whatever the terminology is).
To get someone to sign your key, send them your public key, persuade
them to sign it, and send you back the signed key, and then import what
they send back. Simple.
What people need to persuade them to sign varies from person to person.
In my case I must:
1. Know them.
2. Know that they have the email address I'm signing.
3. Verify the key fingerprint over a channel I can also check their
identity on (usually the phone).
This means I don't sign many keys!
> This is compounded by the fact
> that lots of folks still use 2.6.x and don't know how to tell me what the
> magic pgp 5.x invocations are for the various operations.
Yeah, the docco ain't great, but if you are really stuck, tell me the
operation and I'll figure out the magic.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Hal Snyder <ha...@roxor.org>.
On Mon, Jul 27, 1998 at 06:16:01PM -0400, Rodent of Unusual Size wrote:
> Dean Gaudet wrote:
> >
> > I've been working under the assumption that the world will move to pgp
> > 5.x... and that's why I generated a key with it. But Lars makes it sound
> > like we should stick with 2.6.x. I don't understand.
...
> If the above is true, there is no win-win scenario. If we sign with DSS
> keys, people using PGP 2.6.* won't be able to deal with them. If we
> sign with RSA keys, people using PGP 5.2+ will be out in the cold.
...
FWIW, releases of BIND are signed with pgp-2.6.2.
I share Dean's frustration at the current mess, but reserve my expletives
for debates over software patents and crypto export restrictions.
Re: Fwd: 1.3.1 missing pgp signature
Posted by Lars Eilebrecht <La...@unix-ag.org>.
According to Rodent of Unusual Size:
[...]
> If the above is true, there is no win-win scenario. If we sign with DSS
> keys, people using PGP 2.6.* won't be able to deal with them. If we
> sign with RSA keys, people using PGP 5.2+ will be out in the cold.
Huh... *scratch* I'm pretty sure that all PGP 5.x versions understand PGP 2.6.x
output and all pre-5.5 versions are able to generate RSA keys (correct me if
I'm wrong). IIRC PGP 5.5 won't generate RSA keys, but it should be able to
import and verify RSA-signatures.
But I must admit that I've never used PGP 5, because (at least the early
versions) sucked and I've seen to often PGP 5 and the words 'snake oil'
mentioned in one sentence... but that's another issue.
Anyone around with PGP 5.5? What happens if you check
the current Apache distribution (signed with 2.6.3i)?
> I don't know enough (!) about the market penetration of the various
> versions to be able to guess a least-loss strategy. What I've
> adopted personally is using my RSA keys, PGP 2.6.* on Unix, and
> PGP 5.0 on Win32. Only my RSA keys are registered or given out to
> anyone.
My guess is that most people in the Unix world still use PGP 2.6.x
> Feh. I don't know anything about this OpenPGP business, but ISTR
Last time I checked www.openpgp.org wasn't operational, but you can
find some OpenPGP drafts at
ftp://ftp.iks-jena.de/pub/mitarb/lutz/crypt/software/pgp/OpenPGP/
ciao...
--
Lars Eilebrecht - Reality corrupts.
sfx@unix-ag.org - Absolute reality corrupts absolutely.
http://www.home.unix-ag.org/sfx/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Dean Gaudet wrote:
>
> I've been working under the assumption that the world will move to pgp
> 5.x... and that's why I generated a key with it. But Lars makes it sound
> like we should stick with 2.6.x. I don't understand.
Here's how I understand the chronology:
PGP started out with RSA keys. 2.6.* only knows about those. It can
generate them and handle things signed with them.
PGP 5.0 was released after PGP Inc. was formed. It had the same
key capabilities as 2.6.*, but could also generate/handle DSS keys.
PGP Inc. was using the same RSA licence -- and terms thereto -- that had
been granted them as PGP unInc. RSA took issue with this, since PGP Inc.
was now charging for some versions and RSA wanted a piece of the money
pie. Litigation ensued.
PGP Inc. released 5.1, which could handle both RSA and DSS keys, but
only generate the latter.
PGP Inc. released 5.2, which can't deal with RSA keys at all, other
than to recognise them and acknowledge their existence.
[The versions may be incorrect, but I believe the sequence is the right
one. This is only my recollection of what I think went on, and may be
fraught with errors.]
If the above is true, there is no win-win scenario. If we sign with DSS
keys, people using PGP 2.6.* won't be able to deal with them. If we
sign with RSA keys, people using PGP 5.2+ will be out in the cold.
I don't know enough (!) about the market penetration of the various
versions to be able to guess a least-loss strategy. What I've
adopted personally is using my RSA keys, PGP 2.6.* on Unix, and
PGP 5.0 on Win32. Only my RSA keys are registered or given out to
anyone.
Feh. I don't know anything about this OpenPGP business, but ISTR
that RSA's patents expire in about 18 months -- at which point much
of this may become meaningless, since they won't be able to litigate
against the use of the algorithms and PGP can put 'em back into
PGP 5.*.
I hope this is right, and clarifies the murkiness. How far off am
I, Lars? Ben?
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://WWW.Dummies.Com/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Ben Laurie <be...@algroup.co.uk>.
Dean Gaudet wrote:
>
> Ah, and I see another problem -- my pine plugin defaults to the DSS key.
>
> I've been working under the assumption that the world will move to pgp
> 5.x... and that's why I generated a key with it. But Lars makes it sound
> like we should stick with 2.6.x. I don't understand.
If you use a 2.6.x key, then everyone can understand you.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Dean Gaudet <dg...@arctic.org>.
Ah, and I see another problem -- my pine plugin defaults to the DSS key.
I've been working under the assumption that the world will move to pgp
5.x... and that's why I generated a key with it. But Lars makes it sound
like we should stick with 2.6.x. I don't understand.
Dean
On Mon, 27 Jul 1998, Dean Gaudet wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
...
Re: Fwd: 1.3.1 missing pgp signature
Posted by Dean Gaudet <dg...@arctic.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 27 Jul 1998, Ben Laurie wrote:
> OK, I can see that. If you really want to get PGP sorted out, I'd be
> more than willing to help. I can't see that PGP 5 is a problem (yeah,
> people with 2.x can't interoperate but they can upgrade like the rest of
> us), though if you can be bothered generating a key with 2.x then
> switching to 5 seems like the way to go these days.
I actually did generate my first key using 2.x, and then upgraded to 5. I
think my confusion can be summarized as:
I am not at all sure where or how to register my keys. Consider that I
will send apache email as dgaudet@apache.org, not @arctic.org ... and I
believe this is an extra step in creating/registering the key. Here are
the keys I have right now:
% pgpk -l dgaudet
Type Bits KeyID Created Expires Algorithm Use
sec+ 1023 0x163751F5 1997-08-18 ---------- RSA Sign & Encrypt
uid Dean Gaudet <dg...@arctic.org>
uid Dean Gaudet <dg...@arctic.org>
uid Dean Gaudet <dg...@apache.org>
sec+ 1024 0xF08E012A 1998-02-19 ---------- DSS Sign & Encrypt
sub 2048 0xD8F8125A 1998-02-19 ---------- Diffie-Hellman
uid Dean Gaudet <dg...@arctic.org>
uid Dean Gaudet <dg...@arctic.org>
uid Dean Gaudet <dg...@apache.org>
0x163751F5 is the old key I generated with 2.6.x. The other is a newer
key. I've put them into some servers, but I've no idea if I've put them
into the servers people expect.
My keys don't have any trust -- because I don't attend many conferences,
and am totally confused about what I need to do to get other folks to sign
my keys (whatever the terminology is). This is compounded by the fact
that lots of folks still use 2.6.x and don't know how to tell me what the
magic pgp 5.x invocations are for the various operations.
Dean
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBNbzboH1tv9HwjgEqEQIIzACgrZ2mJt9qxPdcHMVB/pebSlknuUwAoKkU
fpUVWVsWV1KzvmjbNVFfURhV
=riTU
-----END PGP SIGNATURE-----
Re: Fwd: 1.3.1 missing pgp signature
Posted by Ben Laurie <be...@algroup.co.uk>.
Dean Gaudet wrote:
>
> On Sat, 25 Jul 1998, Ben Laurie wrote:
>
> > Dean Gaudet wrote:
> > >
> > > I disagree. Last time I signed a release we got a few dozen emails
> > > indicating I'd done it wrong. Apparently I wasn't supposed to use the
> > > most recent pgp 5, or some crap like that. Excuse me, but pgp sucks.
> > > They don't interoperate between versions. The key servers seem to change
> > > address every couple of months, and there's no damn FAQ that says "here
> > > are the 12 steps to working well with the rest of the world".
> > >
> > > I wasted, and I do mean waste, a day trying to figure it out. And I
> > > couldn't. I still can't interoperate with eudora's pgp plugin. I still
> > > don't know if my key is in the right key servers. I don't know if my pine
> > > pgp plugin is doing the right thing... the list goes on.
> >
> > It's interesting that everyone seems to have their own area of
> > incompetence. But you do seem to be introducing several red herrings:
> > firstly, key servers; they may have their failings, but so what?
>
> When I signed one of the 1.3 betas I got several pieces of email asking
> "why isn't your key in the key server?". So, it's relevant.
>
> > We
> > don't need them, and they are fairly valueless when it comes to trust
> > anwyay. Eudora and pine plugins? Fascinating, but irrelevant.
>
> I think it's stupid not to sign the outgoing announcement.
>
> > All we
> > need is that you can sign a binary, having verified that the binary is
> > correct and that you can put your public key in the public key file.
> > Yes, it'd be nice if you could also sign emails, put your key on key
> > servers and so forth, but completely not needed to sign Apache tarballs.
>
> Disagree.
OK, I can see that. If you really want to get PGP sorted out, I'd be
more than willing to help. I can't see that PGP 5 is a problem (yeah,
people with 2.x can't interoperate but they can upgrade like the rest of
us), though if you can be bothered generating a key with 2.x then
switching to 5 seems like the way to go these days.
Can't help you with Eudora or pine, though - I don't use them.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Dean Gaudet <dg...@arctic.org>.
On Sat, 25 Jul 1998, Ben Laurie wrote:
> Dean Gaudet wrote:
> >
> > I disagree. Last time I signed a release we got a few dozen emails
> > indicating I'd done it wrong. Apparently I wasn't supposed to use the
> > most recent pgp 5, or some crap like that. Excuse me, but pgp sucks.
> > They don't interoperate between versions. The key servers seem to change
> > address every couple of months, and there's no damn FAQ that says "here
> > are the 12 steps to working well with the rest of the world".
> >
> > I wasted, and I do mean waste, a day trying to figure it out. And I
> > couldn't. I still can't interoperate with eudora's pgp plugin. I still
> > don't know if my key is in the right key servers. I don't know if my pine
> > pgp plugin is doing the right thing... the list goes on.
>
> It's interesting that everyone seems to have their own area of
> incompetence. But you do seem to be introducing several red herrings:
> firstly, key servers; they may have their failings, but so what?
When I signed one of the 1.3 betas I got several pieces of email asking
"why isn't your key in the key server?". So, it's relevant.
> We
> don't need them, and they are fairly valueless when it comes to trust
> anwyay. Eudora and pine plugins? Fascinating, but irrelevant.
I think it's stupid not to sign the outgoing announcement.
> All we
> need is that you can sign a binary, having verified that the binary is
> correct and that you can put your public key in the public key file.
> Yes, it'd be nice if you could also sign emails, put your key on key
> servers and so forth, but completely not needed to sign Apache tarballs.
Disagree.
Dean
Re: Fwd: 1.3.1 missing pgp signature
Posted by Ben Laurie <be...@algroup.co.uk>.
Dean Gaudet wrote:
>
> I disagree. Last time I signed a release we got a few dozen emails
> indicating I'd done it wrong. Apparently I wasn't supposed to use the
> most recent pgp 5, or some crap like that. Excuse me, but pgp sucks.
> They don't interoperate between versions. The key servers seem to change
> address every couple of months, and there's no damn FAQ that says "here
> are the 12 steps to working well with the rest of the world".
>
> I wasted, and I do mean waste, a day trying to figure it out. And I
> couldn't. I still can't interoperate with eudora's pgp plugin. I still
> don't know if my key is in the right key servers. I don't know if my pine
> pgp plugin is doing the right thing... the list goes on.
It's interesting that everyone seems to have their own area of
incompetence. But you do seem to be introducing several red herrings:
firstly, key servers; they may have their failings, but so what? We
don't need them, and they are fairly valueless when it comes to trust
anwyay. Eudora and pine plugins? Fascinating, but irrelevant. All we
need is that you can sign a binary, having verified that the binary is
correct and that you can put your public key in the public key file.
Yes, it'd be nice if you could also sign emails, put your key on key
servers and so forth, but completely not needed to sign Apache tarballs.
I still maintain that verifying the binary is considerably harder than
signing it.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Rodent of Unusual Size wrote:
>
> Since 00H01 Sunday - about 18 hours ago - there have been 59 requests
> for the release files and 63 for the .asc files through FTP, and 25
> requests for the .asc through HTTP.
When I wrote the above I was really weirded out, time-wise. Obviously
the original message was written *Sunday* morning, and hence the interval
was 6 hours, not 18.
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://WWW.Dummies.Com/
Re: Fwd: 1.3.1 missing pgp signature
Posted by David Southwell <da...@cyberc.demon.co.uk>.
On Sun, 26 Jul 1998, Rodent of Unusual Size wrote:
> David Southwell wrote:
> >
> > KEY QUESTIONS! (no pun intended!) ;-)
> > 1. How many people actually use it?
>
> What, PGP in general?
Not really relevant!
>How many use the signature to verify the Apache releases?
Much more pertinent!
>There's no way to tell - but enough people expect it that we get
>complaints if a release isn't signed.
Yep but the complaints only seem to come from those who do sign em --
kindof "I take the trouble so why shouldn`t you" rather than a complaint
"Hey I have taken this to be genuine and it was not!!"
>It's unclear whether they expect it because
> we've done it in the past, or because it's a common practice.
It seems to be more of type I do it - so you must - which is not really a
point to need!!
> > 2. Can we be convinced it is really essential?
>
> If we only did things that were essential, Apache wouldn't
> exist.
Not relevant -- maybe essential is too strong -- maybe "demanded
behaviour" is more accurate representation.
>Trojanned copies. Is there any real problem about trojanning - unless
www.apache.org has poor security and is badly managed anyone who is really
doubtful would check back to the source held there. Sounds like
belt/braces& string to me!!
> > 3. Does someone who fails to PGP sign really deserve being pilloried?
>
> Who's getting pilloried?
Sounded like it to me! Response was a bit too authoritarian for my taste!
That's a very strong word.
> Fails to sign: probably not. Refuses to sign: perhaps.
> Personally, I think it's part of the process, like paying dues.
frankly not convinced -- too subjective -- depends upon whether people
agree to be bound by such rules -- if they do fine -- if not a bit of
laissez faire would not go amiss!
> If someone's not willing to sign a release, he shouldn't be
> responsible for constructing it
That seems very subjective to me --
Some people might sign others might not - as they are doing it for free
seems Ok to me!
> > 4. Did the introduction of the process come about due to a
> > significant bad experience or was it introduced as a "generally
> > good idea"?
>
> I personally don't know the answer to that one, but I suspect
> the latter.
So do I -- iseems to me like a practice that doesnt do any harm - but one
that there is no essential need for it to happen!!
> > 5. Do we really have anything to fear from dropping the practice?
>
> Only some loss of credibility.
The credbility is in the release not the signature!
> Signing a release is not a big deal. It takes a few seconds.
OK for some but at least one person didnt find that to be so -- comes down
to tolerance really!
> > OBSERVATIONS!
> > >From what I have heard so far it does seem to sound like an almost
> > entirely unused sledge hammer kept around to crack hypothetical nuts!!
>
> Since 00H01 Sunday - about 18 hours ago - there have been 59 requests
> for the release files and 63 for the .asc files through FTP, and 25
> requests for the .asc through HTTP. That's only on the Apache.Org
> site itself, not any of the mirrors. I don't know what the request
> rates were like in the early days of the release, but those numbers
> don't look very hypothetical.
Sorry but you are arguing against your proposition here!
There is no logical correlation between numbers of files requested from
apache.org and any hypothetical need for PGP signing. Indeed the
correlation is in favour of the argument against a requirement for PGP
signing.
By definition those that got the files from Apache.org got the right ones
Unless as I said earlier the security is crap (which i doubt). It
therefore means that PGP signing was not required for at least that number
of downloads
>
> > However from what has been said so far it seems that people who are
> > likely to be in the position to doubt the validity of a tarball are
> > few are far between. They are also more likely to ask here than go
> > through the hassle of checking it out using PGP!
>
> No and no (IMHO). This list was kept pretty much a secret until
> a few months ago, and still isn't widely published. There are
> only 223 subscribers to it right now. The number of Web sites
> using the software is almost 6000 times as large. If we assume that
> 30% of those Web sites are really vhosts, 100% want to download,
> and that only 20% of downloaders want to check the signature,
> that still leaves us with over 150'000 people.
>
I would suggest that 1% using PGP checking would overstate the case - and
those who needed to be sure would have downloaded from apache.org in any
case to make sure they had the latest in case mirrors were not up to date!
> Checking the signature isn't any more hassle than creating it.
> A few seconds at best - again, once you know how.
>
> > On the one hand a low expectations of downloader capabilities is
> > demonstrated by not keeping old releases around (apparently for fear
> > that people are not able to distinquish between releases that are and
> > are not currently supported) ; on the other hand there is an implied
> > perception that PGP signing is essential from which one deduces an
> > appropriate level of competence!
> It's not 'apparently for fear,' it's because 'experience has shown.'
> We're dealing with large numbers here. If only 1% of the downloaders
> choose something stale, and only 1% of *those* report a problem that's
> fixed in a release later than they installed, that's still nearly
> 100 reports.
They could still get hold of an old signed copy so the point is
irrelevant. What we are talking about are incompatible views of user
competence! (a) they must have PGP signed copies (b) they are not capable
of checking whether they have the latest release!!
> Consider the size of the Apache user base. There is room for
> both highly competent people who want the PGP signatures and
> clewless
(I presume you mean clueless!!)
> masses that will install antique
(recently revised!)
> software.
They may find something which worked on a previous version doesnt work on
the current - this will provide valuable debugging information. If they
deleted the older version then they may need to re-install to provide the
debug information we need!
And either can easily overwhelm us by virtue of the sheer
> size of the issue.
You seem to be suggesting that the occasional release which is not PGP
signed would overwhelm us due to complaints
- not convinced -
hell it is not even a requirement for operating system releases - what
could be more fundamental than that!
OK LETS TRY AND RECONCILE THE POINTS OF VIEW!
It seemed to me that some responses to a guy who didnt PGP sign was over
the top and a tadge authoritarian.
In these circumstances if the guy doesnt want to PGP sign it I would thank
him/her for releasing it - and that should be the end of the matter!
If the next guy who does a release wants to sign it doesnt do any harm and
may do some good - so lets thank him/her and that should be the end of the
matter!
Lets not be prescriptive about practices that are not essential!
> No, because all things are not equal. We are a few dozens trying
> to support hundreds of thousands.
OK so let us recognise it is important not to offend volunteers who give
freely of their time energy and resources over something which is, on the
scale of things, so insignificant!
enjoy life! :-)
david S.
David Southwell
Chairman
CyberCity Ltd (European agents for CyberCity Inc. BVI)
+44 117 955 8225 CyberCity Technology in Europe
BCDP Technology ++Beyond the Corporate Doorway Processing Solutions++
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
David Southwell wrote:
>
> KEY QUESTIONS! (no pun intended!) ;-)
> 1. How many people actually use it?
What, PGP in general? At least tens of thousands use it regularly,
at a guess. How many use it for the common task of integrity
checking? Again at a guess, at least that many. How many
use the signature to verify the Apache releases? There's no way to
tell - but enough people expect it that we get complaints if a
release isn't signed. It's unclear whether they expect it because
we've done it in the past, or because it's a common practice.
> 2. Can we be convinced it is really essential?
If we only did things that were essential, Apache wouldn't
exist. Given that the software is free, very popular, and
there's no recourse for liability issues, I expect some
people want signed software to avoid getting spoofed by
Trojanned copies.
> 3. Does someone who fails to PGP sign really deserve being pilloried?
Who's getting pilloried? That's a very strong word.
Fails to sign: probably not. Refuses to sign: perhaps.
Personally, I think it's part of the process, like paying dues.
If someone's not willing to sign a release, he shouldn't be
responsible for constructing it.
> 4. Did the introduction of the process come about due to a
> significant bad experience or was it introduced as a "generally
> good idea"?
I personally don't know the answer to that one, but I suspect
the latter.
> 5. Do we really have anything to fear from dropping the practice?
Only some loss of credibility. Signing a release is not a big
deal. It takes a few seconds. Getting set up to do it right
takes *maybe* an hour, once - if, as Dean points out, you know
the necessary steps or have a cookbook.
> OBSERVATIONS!
> >From what I have heard so far it does seem to sound like an almost
> entirely unused sledge hammer kept around to crack hypothetical nuts!!
Since 00H01 Sunday - about 18 hours ago - there have been 59 requests
for the release files and 63 for the .asc files through FTP, and 25
requests for the .asc through HTTP. That's only on the Apache.Org
site itself, not any of the mirrors. I don't know what the request
rates were like in the early days of the release, but those numbers
don't look very hypothetical.
> However from what has been said so far it seems that people who are
> likely to be in the position to doubt the validity of a tarball are
> few are far between. They are also more likely to ask here than go
> through the hassle of checking it out using PGP!
No and no (IMHO). This list was kept pretty much a secret until
a few months ago, and still isn't widely published. There are
only 223 subscribers to it right now. The number of Web sites
using the software is almost 6000 times as large. If we assume that
30% of those Web sites are really vhosts, 100% want to download,
and that only 20% of downloaders want to check the signature,
that still leaves us with over 150'000 people.
Checking the signature isn't any more hassle than creating it.
A few seconds at best - again, once you know how.
> On the one hand a low expectations of downloader capabilities is
> demonstrated by not keeping old releases around (apparently for fear
> that people are not able to distinquish between releases that are and
> are not currently supported) ; on the other hand there is an implied
> perception that PGP signing is essential from which one deduces an
> appropriate level of competence!
It's not 'apparently for fear,' it's because 'experience has shown.'
We're dealing with large numbers here. If only 1% of the downloaders
choose something stale, and only 1% of *those* report a problem that's
fixed in a release later than they installed, that's still nearly
100 reports. We get enough from people who are using old versions
and haven't upgraded without making matters worse by helping
new installations use old versions.
Consider the size of the Apache user base. There is room for
both highly competent people who want the PGP signatures and
clewless masses that will install antique software. And either
can easily overwhelm us by virtue of the sheer size of the issue.
> Subject to there being some other unexplained factors these two
> perceptions are, on the face of it, mutually incompatible.
No, because all things are not equal. We are a few dozens trying
to support hundreds of thousands.
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>
Re: Fwd: 1.3.1 missing pgp signature
Posted by David Southwell <da...@cyberc.demon.co.uk>.
On Sat, 25 Jul 1998, Rodent of Unusual Size wrote:
> David Southwell wrote:
> >
> > Going back to basics can someone spell out for me and other
> > comparative newcomers:
> > 1. what benefits are gained by using the key.
> > 2. why it is always essential to use it
>
> The answers to these are the same. By having a trusted person
> sign a release, and have both the signature and the signer's
> public key available online in a secure location, someone who
> downloads the tarball - regardless of from where - can check the
> signature against what it's supposed to be and be assured that
> what he's gotten is what the signer approved.
>
Clear enough answer to Question 1
But it doesnt seem to satisfactorily answer Question 2 -
KEY QUESTIONS! (no pun intended!) ;-)
1. How many people actually use it?
2. Can we be convinced it is really essential?
3. Does someone who fails to PGP sign really deserve being pilloried?
4. Did the introduction of the process come about due to a significant bad
experience or was it introduced as a "generally good idea"?
5. Do we really have anything to fear from dropping the practice?
OBSERVATIONS!
>From what I have heard so far it does seem to sound like an almost
entirely unused sledge hammer kept around to crack hypothetical nuts!!
Coming to this without the experience on this list that you guys all
have means I say this in knowledge that I may be missing an essential
something.
However from what has been said so far it seems that people who are likely
to be in the position to doubt the validity of a tarball are few are far
between. They are also more likely to ask here than go through the hassle
of checking it out using PGP!
On the one hand a low expectations of downloader capabilities is
demonstrated by not keeping old releases around (apparently for fear that
people are not able to distinquish between releases that are and are not
currently supported) ; on the other hand there is an implied perception
that PGP signing is essential from which one deduces an appropriate level
of competence!
Subject to there being some other unexplained factors these two
perceptions are, on the face of it, mutually incompatible.
Sounds to me more like something that is required very rarely between
consenting adults!
david S
David Southwell
Chairman
CyberCity Ltd (European agents for CyberCity Inc. BVI)
+44 117 955 8225 CyberCity Technology in Europe
BCDP Technology ++Beyond the Corporate Doorway Processing Solutions++
Re: Fwd: 1.3.1 missing pgp signature
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
David Southwell wrote:
>
> Going back to basics can someone spell out for me and other
> comparative newcomers:
The issues are common to many, if not most, forms of software
distribution over the net.
> 1. what benefits are gained by using the key.
> 2. why it is always essential to use it
The answers to these are the same. By having a trusted person
sign a release, and have both the signature and the signer's
public key available online in a secure location, someone who
downloads the tarball - regardless of from where - can check the
signature against what it's supposed to be and be assured that
what he's gotten is what the signer approved.
Think of it as a very secure form of checksumming, for integrity
assurance.
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>
Re: Fwd: 1.3.1 missing pgp signature
Posted by David Southwell <da...@cyberc.demon.co.uk>.
OK there seems to be some hassle over this..
Going back to basics can someone spell out for me and other comparative
newcomers:
1. what benefits are gained by using the key.
2. why it is always essential to use it
david
David Southwell
Chairman
CyberCity Ltd (European agents for CyberCity Inc. BVI)
+44 117 955 8225 CyberCity Technology in Europe
BCDP Technology ++Beyond the Corporate Doorway Processing Solutions++
Re: Fwd: 1.3.1 missing pgp signature
Posted by Lars Eilebrecht <La...@unix-ag.org>.
According to Dean Gaudet:
> I disagree. Last time I signed a release we got a few dozen emails
> indicating I'd done it wrong. Apparently I wasn't supposed to use the
> most recent pgp 5, or some crap like that. Excuse me, but pgp sucks.
> They don't interoperate between versions.
Yes, PGP 5.x sucks, but 5.x and 2.6.x are - to some degree - compatible.
PGP 5.x can decrypt/check 2.6.x encrypted/signed data and AFAIK
PGP 2.6.x is able to handle PGP 5.x output if you use only RSA keys with
IDEA/MD5 and not ElGamal or DSS. If you use the latter PGP 2.6.x
complains about an unsupported packet format or something like that.
IMHO we should only sign the Apache distributions with
PGP 2.6.x (current version is 2.6.3) to avoid any problems.
> The key servers seem to change
> address every couple of months, and there's no damn FAQ that says "here
> are the 12 steps to working well with the rest of the world".
More than 12 steps, but... http://www.pgp.net/pgpnet/pgp-faq/
> I wasted, and I do mean waste, a day trying to figure it out. And I
> couldn't. I still can't interoperate with eudora's pgp plugin. I still
> don't know if my key is in the right key servers. I don't know if my pine
> pgp plugin is doing the right thing... the list goes on.
I'm sure OpenPGP will remedy most of those problems (especially the
compatibility problems). Recently (at a german Linux congress) I talked
to one of the OpenPGP developers and he told me that there are plans
to release the first public version in october.
ciao...
--
Lars Eilebrecht - "If it works, don't fix it."
sfx@unix-ag.org (Sam Rayburn)
http://www.home.unix-ag.org/sfx/
Re: Fwd: 1.3.1 missing pgp signature
Posted by Dean Gaudet <dg...@arctic.org>.
I disagree. Last time I signed a release we got a few dozen emails
indicating I'd done it wrong. Apparently I wasn't supposed to use the
most recent pgp 5, or some crap like that. Excuse me, but pgp sucks.
They don't interoperate between versions. The key servers seem to change
address every couple of months, and there's no damn FAQ that says "here
are the 12 steps to working well with the rest of the world".
I wasted, and I do mean waste, a day trying to figure it out. And I
couldn't. I still can't interoperate with eudora's pgp plugin. I still
don't know if my key is in the right key servers. I don't know if my pine
pgp plugin is doing the right thing... the list goes on.
Dean
On Thu, 23 Jul 1998, Ben Laurie wrote:
> Brian Behlendorf wrote:
> >
> > Could someone get off their duff and sign the apache 1.3.1 releases? Don't
> > make me learn PGP with all its inter-version incompatibilities. :)
>
> Learning PGP is trivial in comparison to comparing an Apache release to
> trusted source to verify that it is OK to sign. Whoever rolls the
> release should sign it.
>
> Cheers,
>
> Ben.
>
> --
> Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
> Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
> and Technical Director|Email: ben@algroup.co.uk |
> A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
> London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
>
> WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
>
Re: Fwd: 1.3.1 missing pgp signature
Posted by Ben Laurie <be...@algroup.co.uk>.
Brian Behlendorf wrote:
>
> Could someone get off their duff and sign the apache 1.3.1 releases? Don't
> make me learn PGP with all its inter-version incompatibilities. :)
Learning PGP is trivial in comparison to comparing an Apache release to
trusted source to verify that it is OK to sign. Whoever rolls the
release should sign it.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
RE: Fwd: 1.3.1 missing pgp signature
Posted by Rasmus Lerdorf <ra...@lerdorf.on.ca>.
> BTW, is there a reason why the default language for pgp on taz
> is set to Russian? I wanted to verify the .asc files after I uploaded
> them, but the output was a bit to cryptic for my eyes. ;-)
Sheez, all these language impaired people...
-Rasmus
RE: Fwd: 1.3.1 missing pgp signature
Posted by Lars Eilebrecht <La...@unix-ag.org>.
According to Brian Behlendorf:
>
> Could someone get off their duff and sign the apache 1.3.1 releases?
I just signed the .Z and .gz files, but not the Win32 archive... I'm
not very motivated to squeeze a 3M Windoze app through my dial-up
line. ,-)
> Don't make me learn PGP with all its inter-version incompatibilities. :)
Why not? It's damn easy. :)
BTW, is there a reason why the default language for pgp on taz
is set to Russian? I wanted to verify the .asc files after I uploaded
them, but the output was a bit to cryptic for my eyes. ;-)
ciao...
--
Lars Eilebrecht - I may have my faults...
sfx@unix-ag.org - but being wrong isn't one of them.
http://www.home.unix-ag.org/sfx/