Re: Secrecy and user trust

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Anders Karlsson wrote, On 09/04/2008 01:37 AM:
* Bill Davidsen <davidsen@xxxxxxx> [20080904 05:29]:
Patrick O'Callaghan wrote:
On Wed, 2008-09-03 at 10:30 -0400, Bill Davidsen wrote:
hardest of all find a secure way to provide the public part of the signing key
The whole point about asymmetric encryption is that you don't need a
secure distribution channel. The worst that can happen is that some fake
public key gets distributed, which won't match the private key and hence
will be instantly detectable.

NAK - if a fake public key were distributed then packages signed with the fake key would be matched, allowing full access to install crap in your machine. And packages signed with any valid redhat key would be rejected.

The public key really must be distributed in a secure manner.

I am sure the infrastructure team is all ears for a detailed
suggestion on how you believe this should be achieved. And with your
extensive experience in the field - you ought to be able to provide a
detailed plan of action.

It's very easy sitting at the side-line criticising, but actually
*doing* it is much harder.
IMHO - we're at the "put up or shut up" point with the criticism now.

/Anders


See the suggestion I made a while back[4] for further information about our current use of cobwebs of trust. My suggestion then was not to take care of the current situation, it is too late for using it for the current situation, but it would make any later situations easier to deal with. I still think Fedora needs a master key made (soon after the current situation is resolved) so that we can start building at least a cobweb for it.

suggestions for now:
1) sign the new key with the old key... it is the infrastructure team's plan to do so any way, and many folks will be happy with it. 2) distribute [email | website posting | mass CD mailing] a version of the new key signed by SEVERAL prominent Fedora and OSS/Free software community members. (So any conceived conspiracy has to be larger, and more likely found out :)


[4] https://www.redhat.com/archives/fedora-list/2008-August/msg03255.html
{something seems bonkers with the way the html is showing the footnotes at the end of the message, as it looks like footnote 2 is referencing 3-7, but those seem to have been concatenated onto the same line with footnote 2.}

--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux