Re: [dev] dl.suckless.org file integrity github project

From: Laslo Hunhold <dev_AT_frign.de>
Date: Sat, 26 Aug 2017 21:05:25 +0200

On Fri, 25 Aug 2017 17:13:38 +0200
Mattias Andrée <maandree_AT_kth.se> wrote:

Dear Mattias,

> Each user could have a directory called pgp-keys and dl.suckless.org
> could list those directories. This would allow us to store old keys
> in a structured manner.
>
> An alternative is that the owner of a repo commits his key to the
> repo under /.pgp-keys.

this is absolute insanity! This completely defeats the purpose of it.
If for some reason the suckless.org server is compromised, the
attacker can sign the fraudulent commits with his key and just replace
the one for the corresponding user on dl.suckless.org.

PGP only works if the hosting is diverse, i.e. if the key is for
instance hosted on every project member's homepage. Can't we just stop
with this pseudo-security stuff?

If somebody fiddled with the git-repo in some way, people would notice,
because many many people have copies of the tree on their computer. If
somebody somehow modified tags, or rebranched the repository, it would
be noticed. This is much more logical security approach which is
already in place.
Still, I'm not against signing tags with PGP keys, and as always, in
case I get something wrong, please let me know.

With best regards

Laslo

-- 
Laslo Hunhold <dev_AT_frign.de>
Received on Sat Aug 26 2017 - 21:05:25 CEST

This archive was generated by hypermail 2.3.0 : Sat Aug 26 2017 - 21:12:16 CEST