From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ms-smtp-02.texas.rr.com ([24.93.47.41] helo=ms-smtp-02-eri0.texas.rr.com) by speech.braille.uwo.ca with esmtp (Exim 3.36 #1 (Debian)) id 1AR8BY-0005aB-00 for ; Tue, 02 Dec 2003 05:55:16 -0500 Received: from tomass (cs666898-149.austin.rr.com [66.68.98.149]) by ms-smtp-02-eri0.texas.rr.com (8.12.10/8.12.7) with ESMTP id hB2AtD6V027351 for ; Tue, 2 Dec 2003 04:55:13 -0600 (CST) Received: from stivers_t by tomass with local (Exim 4.24) id 1AR8BV-000324-0x for speakup@braille.uwo.ca; Tue, 02 Dec 2003 04:55:13 -0600 Date: Tue, 2 Dec 2003 04:55:13 -0600 To: "Speakup is a screen review system for Linux." Message-ID: <20031202105512.GB6936@tomass.dyndns.org> Mail-Followup-To: "Speakup is a screen review system for Linux." References: <20031201221230.GA274@chris> <20031201223040.GA6936@tomass.dyndns.org> <20031201233006.GB7997@romuald.net.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20031201233006.GB7997@romuald.net.eu.org> X-Request-PGP: http://tomass.dyndns.org/~stivers_t/pubkey.asc X-Uptime: 1 days 35 minutes 34 seconds User-Agent: Mutt/1.5.4i From: Thomas Stivers X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Re: slackware iso's X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.1.3 Precedence: list Reply-To: "Speakup is a screen review system for Linux." List-Id: Speakup is a screen review system for Linux. List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 10:55:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/01/03 5:30 PM -0600, Gregory Nowak wrote: > I used the gpg method you describe below. However, it occurred to me > that there is nothing stopping someone from potentially cracking an > ftp server, and changing the iso image, while leaving the asc file > intact. So, doing gpg --verify would still tell you the > signature is correct, even though the iso(s) had been messed with. The signature file is verified against the iso. If you didn't have it in the same directory or if it was corrupted the signature wouldn't verify. > Am I missing something here, or is this train of thought actually > correct. If this train of thought is correct, then what's the point of > the .asc file, other then to give an unsuspecting user a false sense > of security? I suppose it is possible that someone could generate a new key with a userid of security@slackware.com, but you would probably hear about something like that from other sources. - -- Unix is a user friendly operating system. It just picks its friends more carefully than others. Thomas Stivers e-mail: stivers_t@tomass.dyndns.org gpg: 45CBBABD -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/zG+Q5JK61UXLur0RApkTAJ9IsDX8l2sHmlBD0qVqXdS1y/9WFgCeLjaY f10hopMOWpo7JmVYdbAICRg= =dGsW -----END PGP SIGNATURE-----