Well, Pat signed my GPG key with the Slackware GPG key now (check
http://pgp.mit.edu:11371/pks/lookup?...56AAAFA75CBDA0). That means, you can verify that I created the packages and there is a level of trust that goes back to the Slackware creator.
As for your boss's demand that packages should come from the official download site... how do you define "official"? Let us for instance check "ftp.slackware.com":
Code:
$ host ftp.slackware.com
ftp.slackware.com has address 140.211.166.134
$ host 140.211.166.134
134.166.211.140.in-addr.arpa domain name pointer ftp-osl.osuosl.org.
I hope you see my implication?
If not, this is what it proves: the official FTP host for Slackware is not at all a Slackware server. Instead, it is the main mirror site (
ftp.osuosl.org) for not only Slackware, but several other distributions.
In fact, for many years when ftp.slackware.com was still hosted by Slackware, Inc. it was considered
rude to download packages directly from the Slackware ftp server, because it was unable to offer the required bandwidth and the server would often buckle under the load. Tell you boss
that.
In this world, it does not matter where you get your packages from. Any serrver, even
well-known ones that are carefully managed, may get compromised and end up serving bad code. In case of kernel.org the admins could offer plausible proof that the kernel sources had not been tampered with because this is near-impossible to do with a git repository.
For the same reasons, you should not place false trust on the web site where you downloaded your packages. It is the
GPG signatures of those packages that will prove to you the packages are the unmodified versions, packaged and signed by their creator. Tell your boss
that.
As for the Slackware web site, it is too bad when he thinks the colours and rounded corners used in a web site design reflect the quality of a distro. If it comes down to that argument, then you will lose and your boss will win. I hope he will be convinced by quality. Also show him the Slackware Documentation Project at
docs.slackware.com, which is a modern-style Wiki, he may be more impressed with that.
Finally, let us see what happens in a GPG verification:
Code:
$ gpg --verify /mnt/auto/sox/www/sox/slackware/slackbuilds/libreoffice/pkg64/14.0/libreoffice-4.0.1-x86_64-1alien.txz.asc
gpg: Signature made Thu 07 Mar 2013 04:16:26 PM CET using DSA key ID A75CBDA0
gpg: Can't check signature: public key not found
$ gpg --recv-keys A75CBDA0
gpg: requesting key A75CBDA0 from hkp server keys.gnupg.net
gpg: key A75CBDA0: public key "Eric Hameleers <alien@slackware.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --verify slackbuilds/libreoffice/pkg64/14.0/libreoffice-4.0.1-x86_64-1alien.txz.asc
gpg: Signature made Thu 07 Mar 2013 04:16:26 PM CET using DSA key ID A75CBDA0
gpg: Good signature from "Eric Hameleers <alien@slackware.com>"
gpg: aka "Eric Hameleers <alien@sox.homeip.net>"
gpg: aka "Eric Hameleers (SBo) <alien@slackbuilds.org>"
gpg: aka "Eric Hameleers <eric.hameleers@alienbase.nl>"
gpg: aka "Eric Hameleers (IBM Linux) <alien@nl.ibm.com>"
gpg: aka "Eric Hameleers (Thuis) <e.hameleers@chello.nl>"
gpg: aka "Eric Hameleers <eric.hameleers@int.greenpeace.org>"
gpg: aka "Eric Hameleers (IBM Linux) <alien@linux.vnet.ibm.com>"
gpg: aka "[jpeg image of size 3054]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F2CE 1B92 EE1F 2C0C E97E 581E 5E56 AAAF A75C BDA0
This shows how I imported my own key on a random computer, used GPG to check that the libreoffice package was signed by that same key which I have just downloaded. GPG then continues that it verified that this was the key which signed the package but it can not be certain that the real life person "Eric Hameleers" is the owner of that GPG key. That is where the level of trust comes to play. A GPG key can be "signed" by other people which means thes other people vouch for "Eric Hameleers" really being the person who owns that GPG key.
The more people who sign a key, the bigger the web of trust becomes. If the owner of a well-known GPG key like Slackware's GPG key has signed my own key, that will enhance the credibility of "Eric Hameleers" as the owner of GPG key "A75CBDA0".
Suppose I import the SLackware GPG key as well and explicitly tell GPG to place trust in that key:
Code:
$ gpg --recv-keys 40102233
gpg: requesting key 40102233 from hkp server keys.gnupg.net
gpg: key 40102233: public key "Slackware Linux Project <security@slackware.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --edit-key 40102233
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024D/40102233 created: 2003-02-26 expires: 2038-01-19 usage: SCA
trust: unknown validity: unknown
sub 1024g/4E523569 created: 2003-02-26 expires: 2038-01-19 usage: E
[ unknown] (1). Slackware Linux Project <security@slackware.com>
gpg> trust
pub 1024D/40102233 created: 2003-02-26 expires: 2038-01-19 usage: SCA
trust: unknown validity: unknown
sub 1024g/4E523569 created: 2003-02-26 expires: 2038-01-19 usage: E
[ unknown] (1). Slackware Linux Project <security@slackware.com>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 1024D/40102233 created: 2003-02-26 expires: 2038-01-19 usage: SCA
trust: ultimate validity: unknown
sub 1024g/4E523569 created: 2003-02-26 expires: 2038-01-19 usage: E
[ unknown] (1). Slackware Linux Project <security@slackware.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
OK, I told GPG that I place ultimate trust in Slackware's GPG key. Now watch what GPG thinks of my package when I verify its signature:
Code:
$ gpg --verify slackware/slackbuilds/libreoffice/pkg64/14.0/libreoffice-4.0.1-x86_64-1alien.txz.asc
gpg: Signature made Thu 07 Mar 2013 04:16:26 PM CET using DSA key ID A75CBDA0
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2038-01-19
gpg: Good signature from "Eric Hameleers <alien@slackware.com>"
gpg: aka "Eric Hameleers <alien@sox.homeip.net>"
gpg: aka "Eric Hameleers (SBo) <alien@slackbuilds.org>"
gpg: aka "Eric Hameleers <eric.hameleers@alienbase.nl>"
gpg: aka "Eric Hameleers (IBM Linux) <alien@nl.ibm.com>"
gpg: aka "Eric Hameleers (Thuis) <e.hameleers@chello.nl>"
gpg: aka "Eric Hameleers <eric.hameleers@int.greenpeace.org>"
gpg: aka "Eric Hameleers (IBM Linux) <alien@linux.vnet.ibm.com>"
gpg: aka "[jpeg image of size 3054]"
You see that the "
WARNING: This key is not certified with a trusted signature!" warning has disappeared from the output.
I wish you luck.
Eric
