[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[Libevent-users] Re: ANN: Libevent 2.0.16-stable is released



[Hi, Dave!  It looks like your original message bounced because the
address wasn't subscribed. I'm quoting it in full below.]

Dave Hart <davehart@xxxxxxxxx> wrote:
>On Fri, Nov 18, 2011 at 20:40, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:>> Libevent 2.0.16-stable is now tagged and released. The package is>> available from the *shiny new website* at http://libevent.org/ .>>>> There are GPG signatures there too; you should probably verify them,>> to make sure you get the software you think you are getting.>> Cryptographic signatures are a great thing, but where is one supposed> to get a trustworthy copy of the public key used to sign it?  From the> same website?  From 3rd party PGP/GPG keyservers?
So, the key to use is 165733ea; it's on the keyservers for me, and
hasn't changed for a while.  It's got some pretty decent signatures on
it; if you're connected to any debian folks, you should have a decent
web-of-trust path to me.

pub   3072R/165733EA 2004-07-03
      Key fingerprint = B35B F85B F194 89D0 4E28  C33C 2119 4EBB 1657 33EA
uid                  Nick Mathewson <nickm@xxxxxxxxxxxx>
uid                  Nick Mathewson <nickm@xxxxxxxxxxx>
uid                  Nick Mathewson <nickm@xxxxxxxxxxxxx>

It's also the same key that signs the tags in the libevent git
repository, so if you are sure you're getting the real libevent git
repository, you can see which key is signing the tags there.

>  I haven't tried
> verifying the detached signature to know which key is used and who has
> cross-signed that key, but I'm wondering how difficult it would be to
> host libevent._com_ with a trojaned libevent signed with a GPG key
> available from public PGP/GPG keyservers with an email address listed
> for the key like release@xxxxxxxxxxxxxxx

Yup; somebody could sure do that.  Folks should make sure that it's
not just a "valid" signature, but that it's a valid signature _from
me_, using the right (well and thoroughly signed) key.

As an added protection, all the downloads listed from the site are now
at URLs under
 https://github.com/libevent/libevent/...

So if you're getting your packages from there, you can be pretty sure
that they're right, unless somebody has compromised github, or github
has turned evil, or somebody has compromised my github account (or
Niels's), or somebody has tricked a CA into signing a bad github.com
certificate, or etc etc etc.

(I note with some sadness that there are only about 2.5% of the people
who are downloading the package are also downloading the signatures.
I have no idea how many are checking which URLs they're actually
getting the packages from.  Scary stuff.)

-- 
Nick
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.