[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] 2.8.8 corrupted

From: Thomas Dickey
Subject: Re: [Lynx-dev] 2.8.8 corrupted
Date: Fri, 17 Nov 2017 04:34:54 -0500
User-agent: Mutt/1.5.21 (2010-09-15)

On Wed, Oct 25, 2017 at 01:48:16PM -0400, Keith Bowes wrote:
> Je 2017-09-17 je 07:59:25 (-0600) Paul Gilmartin skribis:
> > Intrigued by this, I thought to verify a signature, but:
> > 
> > 619 $ curl 
> >
> > Version: GnuPG v2.0.17 (FreeBSD)
> > Comment: See for info
> > 
> > iEYEABECAAYFAlMdAkEACgkQXd+Pt2iOMaaB1gCg4TmKYtkoZ43EgLbdKohA9U6D
> > r7QAoN11QXq2KmLcZCtZHg4NsLaH9hws
> > =zD+J
> > -----END PGP SIGNATURE-----
> > 
> Yeah, Thomas Dickey should update his PGP signature now that ISC no
> longer hosts Lynx.

That's a complicated topic.  Here are some points:

a) I've used address@hidden for all of the changes made since
   moving the files to my regular site.

b) The signature for the older files is valid, and the keys published for
   quite a while.

c) Anyone who'd trusted the older signature would still have the same files
   (and same signature).

d) Aside from the trust issue, the nice thing about the signatures is that
   they're all dated.  If I re-signed the files (replacing the signatures,
   which is what you meant by "update"), all of that information would be

e) Besides losing the timestamps, the other side of replacing the signatures
   is that it presumes that anyone with an older copy of the tar/zip file
   will do their side and ensure that I didn't substitute/tamper with the

So... if we can address those points (in particular, refraining from calling
it "update" or anything of that nature), I could re-sign the files.  But
doing that raises its own issues.

Thomas E. Dickey <address@hidden>

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]