Linux 3.0.7 now on kernel.org

Linux 3.0.7 now on kernel.org

[Greg KH]

I wanted to let people know that the 3.0.7 release is now downloadable
in patch and full-tarball form from kernel.org:
	http://www.kernel.org/pub/linux/kernel/v3.0/
as well as the incremental patches in the incr/ subdir:
	http://www.kernel.org/pub/linux/kernel/v3.0/incr/

ftp.kernel.org also works for those of you using that protocol.

You will note that the files are signed with my new kernel release
signing key, and that the .tar file is signed, and then compressed, so
there is not signatures for the individual compressed files.

For those of you caring and wanting to verify things, the fingerprint of
my signing key is:
	4096R/6092693E 2011-09-23
	Key fingerprint = 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E
	Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>

The 3.0.5 and 3.0.6 releases are there as well if people want them.

I'll work on the older releases as we get time, that shouldn't be that
pressing of an issue at the moment.

Thanks so much to John and hpa for working hard on the tools and backend
configuration to make this possible.

thanks,

greg k-h

Re: Linux 3.0.7 now on kernel.org

[Piotr Hosowicz]

On 23.10.2011 10:31, Greg KH wrote:

> You will note that the files are signed with my new kernel release
> signing key, and that the .tar file is signed, and then compressed, so
> there is not signatures for the individual compressed files.

And why is that? It's less handy.

-- 
- Jaka jest największa anomalia fizjologiczno-polityczna?
- Członek wysunięty z ramienia na czoło.
NP: Caligula's Horse - Equally Flawed
NB: 3.1.0-rc3

Re: Linux 3.0.7 now on kernel.org

[Greg KH]

On Sun, Oct 23, 2011 at 02:24:53PM +0200, Piotr Hosowicz wrote:
> On 23.10.2011 10:31, Greg KH wrote:
> 
> >You will note that the files are signed with my new kernel release
> >signing key, and that the .tar file is signed, and then compressed, so
> >there is not signatures for the individual compressed files.
> 
> And why is that? It's less handy.

I'll let hpa answer that one, he changed it for a good reason that I
can't recall at the moment :)

hpa?

thanks,

greg k-h

Re: Linux 3.0.7 now on kernel.org

[H. Peter Anvin]

On 10/23/2011 02:29 PM, Greg KH wrote:
> On Sun, Oct 23, 2011 at 02:24:53PM +0200, Piotr Hosowicz wrote:
>> On 23.10.2011 10:31, Greg KH wrote:
>>
>>> You will note that the files are signed with my new kernel release
>>> signing key, and that the .tar file is signed, and then compressed, so
>>> there is not signatures for the individual compressed files.
>>
>> And why is that? It's less handy.
> 
> I'll let hpa answer that one, he changed it for a good reason that I
> can't recall at the moment :)
> 
> hpa?
> 

Signing the compressed file makes the compression "precious".  It also
means that the developer has to sign each.

It's not significantly "more handy" either... you can do something like:

	xz -cd file.xz | gpg --verify file.sign -

	-hpa

Re: Linux 3.0.7 now on kernel.org

[Frank Ch. Eigler]

"H. Peter Anvin" <hpa@zytor.com> writes:

> [...]
> Signing the compressed file makes the compression "precious".  It also
> means that the developer has to sign each.
>
> It's not significantly "more handy" either... you can do something like:
> 	xz -cd file.xz | gpg --verify file.sign -

On the other hand, it forces someone to decompress an untrustworthy
file in order to check its signature.  Should there ever be a security
exploit in any of these decompressors, this practice would aid
triggering it.

- FChE