On 02/22/2016 02:22 PM, Ralf Senderek wrote:
If the site is compromised, most bets are off sadly.
Yes, for people who look only in one place, the manipulated web server.
But that is the reason why the fingerprint has to pop up in different places
where it is hard to fake. Even if this one user can be tricked, others can
discover that the site is compromised if the fingerprint is independently recorded
many times elsewhere.
BTW, pointing to a key server is not the way to convince anyone. A key server
is a convenient way to get keys, not a tool to assure their authenticity.
So I don't think that there is much of an alternative other than someone stepping in
and provide some first-hand knowledge about the key.
Could an external service such as keybase.io be helpful here? It's not a
FOSS service, but it's been doing good work on making GPG more
accessible by tying into many services and putting them all in a sort of
verification dashboard.
If keybase is new to you, here's my profile https://keybase.io/ryansb
The Fedora team could get a profile and verify the key(s) through
github, the Fedora and Red Hat web sites, the Fedora magazine twitter
account, and by having the Fedora team all sign publicly.
Combined with having the key on getfedora.org, it at least provides a
measure of protection against our site being compromised. It also has
the benefit of, if someone knows of any Fedora devs on Twitter or
another service, they can follow the web of social-service trust. This
isn't as good as if they had a direct path to the Fedora WoT through
normal signatures, but it's much more likely to actually occur.
--
Ryan Brown / Senior Software Engineer, OpenStack / Red Hat, Inc.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx