[arch-releng] February release

Christian Hesse list at eworm.de
Thu Jan 31 07:33:36 EST 2013

Sven-Hendrik Haase <sh at lutzhaase.com> on Thu, 2013/01/31 13:19:
> On 31.01.2013 13:02, Christian Hesse wrote:
> > Pierre Schmitz <pierre at archlinux.de> on Wed, 2013/01/30 19:12:
> > > I am going to build a new ISO image on Friday. I did a test build today
> > > and everything looks fine. It's just updated packages; no changes to ais
> > > nor archiso. Let me know if there are any known issues or blockers.
> >
> > This is not about the ISO itself but its download...
> >
> > Torrent download files can contain more than just one file. How about
> > including gpg signature for the ISO file? Possibly this increases the
> > number of people actually checking the authenticity of downloaded files.
> Frankly, why? The torrent already guarantees you didn't get bad data.

Sure. But the gpg signature is not (only) about integrity but authenticity.

If you get a bad (not broken) torrent file you could download a bad ISO image
without noticing anybody is fooling you.
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-releng/attachments/20130131/f25b70d9/attachment.asc>

More information about the arch-releng mailing list