diff options
Diffstat (limited to 'docs/docbook/projdoc/Compiling.sgml')
| -rw-r--r-- | docs/docbook/projdoc/Compiling.sgml | 57 |
1 files changed, 55 insertions, 2 deletions
diff --git a/docs/docbook/projdoc/Compiling.sgml b/docs/docbook/projdoc/Compiling.sgml index b8471508f6..15b5acc594 100644 --- a/docs/docbook/projdoc/Compiling.sgml +++ b/docs/docbook/projdoc/Compiling.sgml @@ -13,8 +13,10 @@ <title>How to compile SAMBA</title> -<para>You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version, -you can download samba from CVS or using rsync. </para> +<para> +You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version, +you can download samba from CVS or using rsync. +</para> <sect1> <title>Access Samba source code via CVS</title> @@ -178,6 +180,57 @@ on this system just substitute the correct package name </sect1> <sect1> +<title>Verifying Samba's PGP signature</title> + +<para> +In these days of insecurity, it's strongly recommended that you verify the PGP signature for any +source file before installing it. According to Jerry Carter of the Samba Team, only about 22% of +all Samba downloads have had a corresponding PGP signature download (a very low percentage, which +should be considered a bad thing). Even if you're not downloading from a mirror site, verifying PGP +signatures should be a standard reflex. +</para> + + +<para> +With that said, go ahead and download the following files: +</para> + +<para><programlisting> + $ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc + $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc +</programlisting></para> + +<para> +The first file is the PGP signature for the Samba source file; the other is the Samba public +PGP key itself. Import the public PGP key with: +</para> + +<programlisting> + $ gpg --import samba-pubkey.asc +</programlisting> + +<para> +And verify the Samba source code integrity with: +</para> + +<programlisting> + $ gzip -d samba-2.2.8a.tar.gz + $ gpg --verify samba-2.2.8a.tar.asc +</programlisting> + +<para> +If you receive a message like, "Good signature from Samba Distribution Verification Key..." +then all is well. The warnings about trust relationships can be ignored. An example of what +you would not want to see would be: +</para> + +<programlisting> + gpg: BAD signature from "Samba Distribution Verification Key" +</programlisting> + +</sect1> + +<sect1> <title>Building the Binaries</title> <para>To do this, first run the program <userinput>./configure |