bugzilla-daemon at mindrot.org
2003-May-02 10:15 UTC
[Bug 379] difficult to find the openssh code signing key on openssh.org.
http://bugzilla.mindrot.org/show_bug.cgi?id=379 papadopo at shfj.cea.fr changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Additional Comments From papadopo at shfj.cea.fr 2003-05-02 20:15 ------- The key is in file DJM-GPG-KEY.asc but this doesn't address the poster's question. A link is really needed to this file on the home page or the download page. I too spent more than an hour trying to find the public key. The fact that the file has been there for years doesn't make it easier to find. As for the keyservers, I don't know where to find them, if I can talk to them through our organization-wide firewall, and how to ask them for a key. I suspect this is the case of most OpenSHH users, and is a reason why OpenSHH is probably most often installed without checking the signature. Again: It would be a great service to your user community if you made the signing key easy to find on your web site. A top-level link would be nice, but even a link from the download section would be good. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-14 12:27 UTC
[Bug 379] difficult to find the openssh code signing key on openssh.org.
http://bugzilla.mindrot.org/show_bug.cgi?id=379 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2003-05-14 22:27 ------- Key is on the FTP server and is widely distributed on the keyservers (the canonical place for keys) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-14 13:16 UTC
[Bug 379] difficult to find the openssh code signing key on openssh.org.
http://bugzilla.mindrot.org/show_bug.cgi?id=379 marcel.kuiper at nl.abnamro.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | ------- Additional Comments From marcel.kuiper at nl.abnamro.com 2003-05-14 23:16 ------- Appearantly there's a lot of people spending a large amount of time (or give up on it) finding this key. (The keyservers do you no good if you don't know that you need Damien Miller's key -- a search for openssh returns Karl Friedl) There is no valid reason to make it so hard. In fact, quite the contrary I would say. Internet security would benefit if you would make it easy (most OSS web sites provide links and instructions on signature verification) How hard can it be to add a small section to the openssh web site? Marcel ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-14 13:25 UTC
[Bug 379] difficult to find the openssh code signing key on openssh.org.
http://bugzilla.mindrot.org/show_bug.cgi?id=379 ------- Additional Comments From dtucker at zip.com.au 2003-05-14 23:25 ------- Err, that's what the keyid is for: $ gpg openssh-3.6.1p2.tar.gz.sig gpg: Signature made Tue Apr 29 19:40:09 2003 EST using DSA key ID 86FF9C48 gpg: Can't check signature: public key not found $ gpg --recv-key 86FF9C48 gpg: requesting key 86FF9C48 from HKP keyserver wwwkeys.au.pgp.net gpg: found 0 ownertrust records gpg: migrated 0 version 2 ownertrusts gpg: key 86FF9C48: public key imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg openssh-3.6.1p2.tar.gz.sig gpg: Signature made Tue Apr 29 19:40:09 2003 EST using DSA key ID 86FF9C48 gpg: Good signature from "Damien Miller (Personal Key) <djm at mindrot.org>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-14 14:15 UTC
[Bug 379] difficult to find the openssh code signing key on openssh.org.
http://bugzilla.mindrot.org/show_bug.cgi?id=379 ------- Additional Comments From marcel.kuiper at nl.abnamro.com 2003-05-15 00:15 ------- Good point, but not withstanding that things can be made a lot easier for the masses withouth a lot of effort ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-14 15:13 UTC
[Bug 379] difficult to find the openssh code signing key on openssh.org.
http://bugzilla.mindrot.org/show_bug.cgi?id=379 ------- Additional Comments From jsmith at purdue.edu 2003-05-15 01:13 ------- After I posted my original bug report, I received email from people all over the world, saying "please send me the signing key." Putting a reference to the key on your web site increases the odds that people will actually check the signature. It's easy to do. It costs nothing. I'm a big fan of openssh and open source in general. But lack of responsiveness on a trivial issue like this makes it more difficult to "sell" the idea of using open source products to management. That is unfortunate, and ultimately harmful to the open source movement. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-14 22:56 UTC
[Bug 379] difficult to find the openssh code signing key on openssh.org.
http://bugzilla.mindrot.org/show_bug.cgi?id=379 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2003-05-15 08:56 ------- Use a keyserver. As I mentioned, this is the canonical place to find keys. Please don't reopen this bug, my mind is made up. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.