[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gNewSense-users] SSL/TLS/GPG: how to trust gNewSense downloads?

From: Sam Geeraerts
Subject: Re: [gNewSense-users] SSL/TLS/GPG: how to trust gNewSense downloads?
Date: Sun, 22 Dec 2013 22:37:17 +0100

Op Fri, 20 Dec 2013 03:02:26 +0000
schreef Sam Kuper <address@hidden>:

> OK, so the next best thing is to download the gNewSense GPG keyring
> file gnewsense-keyring.gpg from somewhere that does have a "secure"
> connection
> ( )
> and try to verify downloads with that. First steps:

That's the keyring with the keys of the project members, not the
repository key. You can find the repository key in the
gnewsense-archive-keyring package [1] (file
keyrings/gnewsense-archive-keyring.gpg). You can check that it's the
right key by verifying the fingerprint, which listed on our website
[2], but I'll give it here to avoid any doubt:

4F8A 7A4A 66A7 83D1 5560  7F1E E4D0 9D08 BF11 9352

> If not, is there an ETA for the implementation of SSL/TLS on the
> gNewSense website; or a possibility the gNewSense project might start
> serving its files through Savannah instead of (or in addition to)
> directly from the gNewSense website, in order to benefit from
> Savannah's HTTPS?

Savannah is not designed to serve a distribution's package repository.

gNewSense has no money, so we can't get a certificate from the big CAs.
We might get one from CAcert, but that's not trusted by most browsers,
as far as I know. That might make it as trustworthy to you as a
self-signed certificate. So adding SSL support would be either 'better
than nothing' or 'a false sense of security', depending on your view.

I'm more of the former view, but implementing this is low on my
priority list, because I don't want to muck around with the web
server's configuration and I'd have to polish up my knowledge of
certificate administration.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]