Posted Sep 2, 2011 8:56 UTC (Fri) by rickmoen
In reply to: kernel.org compromised
Parent article: kernel.org compromised
Note: "This signature does not guarantee that the Linux Kernel Archives master site itself has not been compromised."
Well, no code signature ever guarantees that the hosting site hasn't been compromised.
A sentence higher up, immediately after the bit about the signing being automated, is actually quite a bit more significant: "This signature can be used to prove that a file, which may have been obtained from a mirror site or other location, really originated at the Linux Kernel Archives."
A truly careful parsing of that sentence might catch the implication that the signature proves only that the file really originated at kernel.org. However, it'd be really nice if this were more apparent upon casual browsing of tarballs.
to post comments)