Is the core issue that there is no documentation for how to actually verify the PGP signature on the tar file, as "MIT highly recommends that you [do]"?
YES
-----Original Message-----
From: Benjamin Kaduk via RT [mailto:rt-comment@krbdev.mit.edu]
Sent: Friday, June 13, 2014 11:29 AM
To: Reagan, Dan
Subject: [krbdev.mit.edu #7927] Documentation__For users
[dan_reagan@mentor.com - Thu May 29 15:52:56 2014]:
> It would be really nice if you could document how to validate the PGP
> signature associated with a particular release.
>
> After more than an hour of searching, I've found no way to validate
> the release provided.
>
> I also note after searching the 'net that there are many others having
> the same problems.
The page
http://web.mit.edu/kerberos/krb5-latest/doc/build/index.html discusses the structure of the distribution tarball, and mentions that a PGP signature file is included.
The subject of this ticket mentions the "For users" document, though -- would you have been helped (even partially) by a link to the "Building Kerberos V5" document from the "For users"
document?
Is the core issue that there is no documentation for how to actually verify the PGP signature on the tar file, as "MIT highly recommends that you [do]"?