Re: [dev] dl.suckless.org file integrity github project

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Anselm R Garbe <garbeam_AT_gmail.com>
Date: Sun, 27 Aug 2017 15:19:19 +0200

On 26 August 2017 at 21:08, Laslo Hunhold <dev_AT_frign.de> wrote:
> On Fri, 25 Aug 2017 13:54:41 +0200
> Anselm R Garbe <garbeam_AT_gmail.com> wrote:
>> Either that, or perhaps we can reinstate the old fashion of
>> suckless.org/~user/ homedir.
>
> I gave it a bit more thought and realized that putting the keys all in
> one place defeats the purpose of PGP. If the server is compromised, an
> attacker would just have to additionally replace the keys in the
> homedirs besides replacing the signed release-tarballs with fraudulent
> ones that were signed with his "fraudulent" key.

There's nothing wrong to put public keys onto suckless.org, in
addition to a range of other places incl. official key servers.

It would be a very poor assumption to only base a trust model on
public keys found at the same place as some signatures.

BR,
Anselm
Received on Sun Aug 27 2017 - 15:19:19 CEST

This archive was generated by hypermail 2.3.0 : Sun Aug 27 2017 - 15:24:27 CEST