[PATCH] Getting started docs: https, and check signature
Jeffrey Yasskin
jyasskin at gmail.com
Wed Jul 1 10:38:27 PDT 2015
REPOSITORY
rL LLVM
================
Comment at: llvm/trunk/docs/GettingStarted.rst:331
@@ +330,3 @@
+ % wget https://ftp.gnu.org/gnu/gcc/gcc-4.8.2/gcc-4.8.2.tar.bz2.sig
+ % wget https://ftp.gnu.org/gnu/gnu-keyring.gpg
+ % signature_invalid=`gpg --verify --no-default-keyring --keyring ./gnu-keyring.gpg gcc-4.8.2.tar.bz2.sig`
----------------
There's not much point fetching the signing key over exactly the same transport as the data. If someone's compromised ftp.gnu.org, they can replace the key at the same time as they replace the signature. Either trust just HTTPS or fetch the signing key from somewhere else.
http://reviews.llvm.org/D10845
EMAIL PREFERENCES
http://reviews.llvm.org/settings/panel/emailpreferences/
More information about the llvm-commits
mailing list