[R-sig-Debian] Please update GPG signature to long format.
Charles Plessy
charles-r-nospam at plessy.org
Sun Sep 4 03:03:16 CEST 2016
Hi Michael and Dirk,
there are raising concerns that, as of today's computing power, an attacker can
generate a GPG key that has the same short ID as a target key. In this
situation, it may be possible that a user downloads and trusts the attacker's
GPG key, and as a consequence installs malware.
For that reason (better explained in http://lwn.net/Articles/697417/), it is recommended to use long IDs or
even full fingerprints. I am therefore suggesting to update the instructions
at <https://cran.rstudio.com/bin/linux/ubuntu/>.
s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/
(Note that I tested only in Debian Stable, which is one year older as Trusty,
so it might be good to doublecheck on a Trusty system that it works as
expected.)
Have a nice day,
Charles
--
Charles Plessy
Tsurumi, Kanagawa, Japan
More information about the R-SIG-Debian
mailing list