On 02/22/2016 05:34 PM, Stephen John Smoogen wrote:
On 22 February 2016 at 13:00, Ralf Senderek <fedora@xxxxxxxxxxx> wrote:
The Fedora team could get a profile and verify the key(s) through
github, the Fedora and Red Hat web sites, the Fedora magazine twitter
account, and by having the Fedora team all sign publicly.
Every little helps. The important step would be if the Fedora devs state the
fingerprints in a visible way that risks their good reputation if the information
turned out to be incorrect. These statements would then be the foundation of
trust in what the Fedora 24 key signs.
OK and how many people check to see what another person's reputation
is? And how many people have had gotten bad reputations from signing
bad things? It all sounds great on paper, but without actual methods
and regular checks.. it is as useless as a keysigning party where no
one does a full check of the passport and driver's license with the
issueing authority. [We all do the $200.00 background check on
everyone we sign don't we?]
I don't, but I think there's benefit in using keybase.io and having any
Fedora contributors verify that, because:
1. Keybase is easy to check - pop open the web page and it's all there
2. Hosted outside Fedora infrastructure, so 2 points of compromise would
have to happen
Also, keep in mind that the checks on keybase aren't necessarily "you
are Ryan Scott Brown, as identified by driver's license," but rather
that I am the @ryan_sb on twitter, and ryansb on github, and owner of
rsb.io. For most "people on the internet" the second set of parameters
is what people actually know me as, so that's more useful for the looser
verification of "someone I think would notice if Fedora switched their
GPG key"
Also, tying the GPG key to the various Fedora project social accounts
would help since, again, that's another point of compromise that would
need to happen to switch up our .iso's.
Literally nothing we can ever do will be bulletproof[1], but doing
anything better than putting the GPG keys on the same site as the ISOs
isn't futile.
1: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
Combined with having the key on getfedora.org, it at least provides a
measure of protection against our site being compromised. It also has
the benefit of, if someone knows of any Fedora devs on Twitter or
another service, they can follow the web of social-service trust. This
isn't as good as if they had a direct path to the Fedora WoT through
normal signatures, but it's much more likely to actually occur.
Yes all of this, please.
--
Ryan Brown / Senior Software Engineer, OpenStack / Red Hat, Inc.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
