Allen Kistler wrote: > I have the same opinion of signing the page with the hashes. The pages > that list the hashes for F12 are: > > https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM > https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM > > They are PGP-signed using *self-signed* keys listed in: > > https://fedoraproject.org/static/fedora.gpg > > One web page is signed using keys on another web page. So someone > > 1. Downloads the ISOs > 2. Checks the hash vs. the web page > 3. Checks the signature on the web page vs. a key on another web page > 4. Cannot check the key > > Unless you want people to: > > 4. Check the key vs. the one on the ISOs > > which gets circular. > > If we don't trust the page which has the hashes, why do we trust the > page which has the keys more? If someone can alter the ISOs and > then alter the published hashes to hide their tracks, why not alter > the published keys, as well? Ultimately I'm wondering what problem > we're solving by signing the web page in the first place. > > Sign the hash page with a key which descends from a verifiable, > trusted root (even a key signed by the release manager would be > better than self-signed), or don't sign the page. I lean toward not > signing, and IRL I'm a paranoid security guy. To be fair, the *-CHECKSUM files were only added to https://fedoraproject.org/static/checksums/ recently (F-11). And they are still widely available via mirrors and bit torrent. The GPG signatures are quite useful for anyone downloading the CHECKSUM files by those methods. I don't mind that the GPG keys are role keys and are not signed by (m)any other keys (though Jesse has signed some of them in the past). Using SSL to get the keys seems reasonable to me. All trust has to start somewhere. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Some of the narrowest minds are found in the fattest heads. -- Anonymous
Attachment:
pgpypLrfu349d.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list