Re: [dev] dl.suckless.org file integrity github project
On 26 August 2017 at 21:08, Laslo Hunhold <dev_AT_frign.de> wrote:
> On Fri, 25 Aug 2017 13:54:41 +0200
> Anselm R Garbe <garbeam_AT_gmail.com> wrote:
>> Either that, or perhaps we can reinstate the old fashion of
>> suckless.org/~user/ homedir.
>
> I gave it a bit more thought and realized that putting the keys all in
> one place defeats the purpose of PGP. If the server is compromised, an
> attacker would just have to additionally replace the keys in the
> homedirs besides replacing the signed release-tarballs with fraudulent
> ones that were signed with his "fraudulent" key.
There's nothing wrong to put public keys onto suckless.org, in
addition to a range of other places incl. official key servers.
It would be a very poor assumption to only base a trust model on
public keys found at the same place as some signatures.
BR,
Anselm
Received on Sun Aug 27 2017 - 15:19:19 CEST
This archive was generated by hypermail 2.3.0
: Sun Aug 27 2017 - 15:24:27 CEST