From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/20110201/002410.html | 115 ++++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 zarb-ml/mageia-dev/20110201/002410.html (limited to 'zarb-ml/mageia-dev/20110201/002410.html') diff --git a/zarb-ml/mageia-dev/20110201/002410.html b/zarb-ml/mageia-dev/20110201/002410.html new file mode 100644 index 000000000..a1be3ebeb --- /dev/null +++ b/zarb-ml/mageia-dev/20110201/002410.html @@ -0,0 +1,115 @@ + + + + [Mageia-dev] PGP keys and package signing + + + + + + + + + +

[Mageia-dev] PGP keys and package signing

+ David Sjölin + david.sjolin at gmail.com +
+ Tue Feb 1 12:31:49 CET 2011 +

+
+ +
Hello!
+
+I know this is probably a stupid question, but if you don't ask you
+won't learn so.
+
+What is this signing? I assume we won't encrypt the entire
+distribution? Is it some sort of way of saying that a package is
+"Approved by Mageia" so the package manager can warn about non
+approved packages?
+
+Regards,
+
+David
+
+
+
+On Tue, Feb 1, 2011 at 11:47 AM, Pascal Terjan <pterjan at gmail.com> wrote:
+> On Tue, Feb 1, 2011 at 00:35, Dick Gevers <dvgevers at xs4all.nl> wrote:
+>> On Tue, 01 Feb 2011 00:15:36 +0100, Michael Scherer wrote about Re:
+>> [Mageia-dev] PGP keys and package signing:
+>>
+>>>Le lundi 31 janvier 2011 à 21:49 +0000, Dick Gevers a écrit :
+>>>> On Mon, 31 Jan 2011 17:18:25 +0100, Michael Scherer wrote about Re:
+>>>> [Mageia-dev] PGP keys and package signing:
+>>>>
+>>>> >The problem is not leaking the key, it is about cryptographic attacks
+>>>> >about older keys.
+>>>> >
+>>>> >If in 10 years, there is some technology that allows people to get our
+>>>> >private key by bruteforce on the public one
+>>>>
+>>>> You can never ever obtain the private key from the public one, that is
+>>>> impossible. It can only be compromised if someone looses the private key
+>>>> plus the password is cracked.
+>>>
+>>>Some secure systems have been seen compromised ( like
+>>>http://www.win.tue.nl/hashclash/rogue-ca/, who explain how the whole SSL
+>>>business was compromised 2 years ago, or see the GSM being cracked at
+>>>this year 27C3 ).
+>>>
+>>>And Debian also got ride of older vulnerable gpg keys ( see
+>>>http://lists.debian.org/debian-devel-announce/2010/04/msg00018.html and
+>>>http://lists.debian.org/debian-devel-announce/2010/09/msg00003.html ),
+>>>so I would not be so optimistic about the "never".
+>>>
+>>>Technically, MD5 should not have been reversible, but see how easy it is
+>>>using a rainbow table. Granted, that's a 20 year protocol, but that's
+>>>still widely used in lots of software.
+>>
+>> Sorry, but I am not convinced: the gpg key we are talking about consists of
+>> 2 parts: the private key is separate from the public key, or signing key.
+>> The signing key is a separate or subkey and does not contain any part of the
+>> private key. So you can throw any amount of computing power at it, but
+>> there is nothing inside the public key that will enable the rebuilding of
+>> the private key from it.
+>
+> Encrypt stuff with the public one, try to decrypt it with the 2^4096
+> (or whatever) possible private keys.
+>
+
+ + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1