[linux-elitists] Rooted kernel.org hosts (was: PJ takes her victory lap)
greg at kroah.com
Wed Aug 31 21:12:40 PDT 2011
On Wed, Aug 31, 2011 at 08:57:00PM -0700, Rick Moen wrote:
> Quoting Greg KH (greg at kroah.com):
> > Yes, the design of git makes it almost impossible to tamper with, and
> > the tarballs can be regenerated from any git tree to verify the
> > integrity of them. You can do this yourself if you want to ensure this.
> I wasn't worried about the tarballs' integrity (not to mention being
> unworried about sha1 collisions), because enough people check the
> published .sign files and have ongoing acquaintance with the Linux
> Kernel Archives OpenPGP key.
As hera was the machine that was compromised, tarballs could be changed
and properly signed, so pgp signatures mean nothing here. It's git that
is the secure part of our development process.
The signing ensures that the mirrors are properly serving up the correct
files, it means nothing for the "master" tarballs.
More information about the linux-elitists