Jesse Keating wrote: > Well, if you have to use a tool from the project, to verify other bits > from the project, the verification just became a lot less trusted. If > you don't trust the bits you got from the project, why would you trust > the tool the project gives you to verify the bits? "Here use this tool > to verify our bits. Trust us, we swear!" I have the same opinion of signing the page with the hashes. The pages that list the hashes for F12 are: https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM They are PGP-signed using *self-signed* keys listed in: https://fedoraproject.org/static/fedora.gpg One web page is signed using keys on another web page. So someone 1. Downloads the ISOs 2. Checks the hash vs. the web page 3. Checks the signature on the web page vs. a key on another web page 4. Cannot check the key Unless you want people to: 4. Check the key vs. the one on the ISOs which gets circular. If we don't trust the page which has the hashes, why do we trust the page which has the keys more? If someone can alter the ISOs and then alter the published hashes to hide their tracks, why not alter the published keys, as well? Ultimately I'm wondering what problem we're solving by signing the web page in the first place. Sign the hash page with a key which descends from a verifiable, trusted root (even a key signed by the release manager would be better than self-signed), or don't sign the page. I lean toward not signing, and IRL I'm a paranoid security guy. _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
