summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/Compiling.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc/Compiling.sgml')
-rw-r--r--docs/docbook/projdoc/Compiling.sgml57
1 files changed, 55 insertions, 2 deletions
diff --git a/docs/docbook/projdoc/Compiling.sgml b/docs/docbook/projdoc/Compiling.sgml
index b8471508f6..15b5acc594 100644
--- a/docs/docbook/projdoc/Compiling.sgml
+++ b/docs/docbook/projdoc/Compiling.sgml
@@ -13,8 +13,10 @@
<title>How to compile SAMBA</title>
-<para>You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version,
-you can download samba from CVS or using rsync. </para>
+<para>
+You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version,
+you can download samba from CVS or using rsync.
+</para>
<sect1>
<title>Access Samba source code via CVS</title>
@@ -178,6 +180,57 @@ on this system just substitute the correct package name
</sect1>
<sect1>
+<title>Verifying Samba's PGP signature</title>
+
+<para>
+In these days of insecurity, it's strongly recommended that you verify the PGP signature for any
+source file before installing it. According to Jerry Carter of the Samba Team, only about 22% of
+all Samba downloads have had a corresponding PGP signature download (a very low percentage, which
+should be considered a bad thing). Even if you're not downloading from a mirror site, verifying PGP
+signatures should be a standard reflex.
+</para>
+
+
+<para>
+With that said, go ahead and download the following files:
+</para>
+
+<para><programlisting>
+ $ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc
+ $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc
+</programlisting></para>
+
+<para>
+The first file is the PGP signature for the Samba source file; the other is the Samba public
+PGP key itself. Import the public PGP key with:
+</para>
+
+<programlisting>
+ $ gpg --import samba-pubkey.asc
+</programlisting>
+
+<para>
+And verify the Samba source code integrity with:
+</para>
+
+<programlisting>
+ $ gzip -d samba-2.2.8a.tar.gz
+ $ gpg --verify samba-2.2.8a.tar.asc
+</programlisting>
+
+<para>
+If you receive a message like, "Good signature from Samba Distribution Verification Key..."
+then all is well. The warnings about trust relationships can be ignored. An example of what
+you would not want to see would be:
+</para>
+
+<programlisting>
+ gpg: BAD signature from "Samba Distribution Verification Key"
+</programlisting>
+
+</sect1>
+
+<sect1>
<title>Building the Binaries</title>
<para>To do this, first run the program <userinput>./configure