Justis Peters
2007-Mar-12 20:56 UTC
Validity of https://lists.shorewall.net/shorewall.gpg.key
Fellow shorewall users, I am new to the list. Please forgive me if this question has been covered already. I searched the archives briefly and checked through the documentation and couldn''t find anything. At the moment, I am attempting to download and install shorewall on a server and would like to ensure that it''s a valid copy. I saw that there is a GPG key at https://lists.*shorewall*.net/*shorewall*.*gpg*.key and I thought, "Great! I can check to see that it''s valid". Unfortunately, the SSL certificate for https://lists.shorewall.net is self signed, though. Is this how it has been forever, or has the server been hacked? With it being self signed, there''s no chain of trust to assure me that the site hasn''t been hacked. Could anybody provide me with a copy of the Shorewall GPG key that they consider valid? If it is the normal case that the certificate is self signed, I''d like to suggest that lists.shorewall.net apply for a certificate from http://www.cacert.org/. That would at least provide a chain of trust that I can rely on, even if it''s not imported into most browsers. This way, I can assure my client that the code I installed on their server is validly the shorewall that we all know and love rather than a trojan horse. Thanks in advance to those who reply. And thanks to all those who have contributed to and supported shorewall over the years. It has made my job much easier on dozens and dozens of servers. Kind regards, Justis Peters ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2007-Mar-12 22:15 UTC
Re: Validity of https://lists.shorewall.net/shorewall.gpg.key
Justis Peters wrote:> Unfortunately, the SSL > certificate for https://lists.shorewall.net is self signed, though. Is > this how it has been forever, or has the server been hacked?That''s the way that it has been since day one.> With it > being self signed, there''s no chain of trust to assure me that the site > hasn''t been hacked. Could anybody provide me with a copy of the > Shorewall GPG key that they consider valid?Attached.> > If it is the normal case that the certificate is self signed, I''d like > to suggest that lists.shorewall.net apply for a certificate from > http://www.cacert.org/. That would at least provide a chain of trust > that I can rely on, even if it''s not imported into most browsers. This > way, I can assure my client that the code I installed on their server is > validly the shorewall that we all know and love rather than a trojan horse.If and when I ever get the time and money to build a new server, I''ll look into cacert.org. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV