On Mon, 22 Feb 2016 19:45:03 +0000 Gregory Maxwell <gmaxwell@xxxxxxxxx> wrote: > New users are stateless and little can be done there; at least not > right now when pre-textual security procedures' like Fedora's are > ubiquitous and thus can't be taken as a clear sign of compromise. Right. > Existing users are another matter; "Hey, wasn't the last fedora key > signed by the fedora-keys-key that I already have?? Something smells > fishy here". Doubly so if fedora included a fedora-downloader that > users use to get new images which automatically checked these things. Perhaps, but they might also just say "oh, download process has changed, oh well". Having an automated downloader that checks things would be nice, but then of course you need to ensure the security of the downloader and that it's not just been tampered with. > > Pointing people to the sks keyservers to download the key would be > > nice > > I don't think there is any utility in pointing people to a keyserver > here. I think it would allow them to check signatures against their web of trust. > It's useful if that even worked for the few who would do it-- so that > in untargeted replacement they could sound alarms. But I wasn't even > suggesting something so broad as WOT: I'm only suggesting that Fedora > should commit to signing every release key with a long lived, offline > stored, key-- or, alternatively, with prior releases release keys. So > that people who somehow managed to get a faithful fedora keyring at > some point aren't exposed to compromise over and over again in the > future. We don't have the ability to do this. Sigul doesn't support signatures. > > If the site is compromised how would any of that help? > > The compromised site could not sign their replacement keys-- they'd > have to just alter or drop the procedure that provides actual > security, and this disruption would catch the attention of some users. > (and better, if an automated mechanism is provided and gains wide > usage.) Perhaps. Thats the window the attackers would have I suppose. Open source projects have a advantage here in that they are transparent. If someone notices something that seems odd they can easily ask about it and raise the flag. > > This is already done somewhat... the fedora-repos package has all > > the keys in it from the time it was last updated. > > That's good. The last I had seen it didn't include key for future > releases. If they're there now the instructions could simply tell the > user to skip the key download if they're already on an updated fedora > install. Yep. kevin
Attachment:
pgpXir1mCBWau.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
