Re: [dev] file integrity github project

From: Anselm R Garbe <>
Date: Sun, 27 Aug 2017 15:19:19 +0200

On 26 August 2017 at 21:08, Laslo Hunhold <> wrote:
> On Fri, 25 Aug 2017 13:54:41 +0200
> Anselm R Garbe <> wrote:
>> Either that, or perhaps we can reinstate the old fashion of
>> homedir.
> I gave it a bit more thought and realized that putting the keys all in
> one place defeats the purpose of PGP. If the server is compromised, an
> attacker would just have to additionally replace the keys in the
> homedirs besides replacing the signed release-tarballs with fraudulent
> ones that were signed with his "fraudulent" key.

There's nothing wrong to put public keys onto, in
addition to a range of other places incl. official key servers.

It would be a very poor assumption to only base a trust model on
public keys found at the same place as some signatures.

Received on Sun Aug 27 2017 - 15:19:19 CEST

This archive was generated by hypermail 2.3.0 : Sun Aug 27 2017 - 15:24:27 CEST