From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dmitri Date: Thu, 18 Oct 2001 02:35:48 +0000 Subject: Re: Automatic download and installation of drivers. MIME-Version: 1 Content-Type: multipart/mixed; boundary="+xNpyl7Qekk2NvDX" Message-Id: List-Id: References: In-Reply-To: To: linux-hotplug@vger.kernel.org --+xNpyl7Qekk2NvDX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting Keith Owens : > >Linus already signs his kernel releases. >=20 > No he does not. The signatures on files obtained from ftp.kernel.org > and mirrors are automatically generated by a script on kernel.org as > files are uploaded. The signature is by ftpadmin, not the person who > put the file there. It says nothing about who uploaded the file, it > only proves that the file came from kernel.org and has not been > tampered with since upload. The idea is the same: the owner of the secret key signs the package. That owner can be a human or a machine. You have to trust the owner. Of course, automated signing is less secure and I don't think it can be used in this project. In fact, what the ftp server can do is to verify the signature of the package after the developer uploads it. Only properly signed files, from known developers, are permitted to stay on the distribution site. Just another little bit of security... Dmitri --=20 panic("esp: Aiee penguin on the SCSI-bus."); (from linux/drivers/scsi/esp.c) --+xNpyl7Qekk2NvDX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7zkADVqZS2gkpo2kRAvYMAJ9nM7crMZsiuqfTeN8AvnAFL8hRTgCeNBWI yArJsUphkUkqBeo8SbJFaPM= =YFXi -----END PGP SIGNATURE----- --+xNpyl7Qekk2NvDX-- _______________________________________________ Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel