Re: More prominent link to verification hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 22, 2016 at 07:22:24PM -0000, Ralf Senderek wrote:

> Yes, for people who look only in one place, the manipulated web server.
> But that is the reason why the fingerprint has to pop up in different places
> where it is hard to fake. Even if this one user can be tricked, others can
> discover that the site is compromised if the fingerprint is independently recorded
> many times elsewhere.

You can already get the keys at various places:

- Fedora website
- physical DVDs
- fedora-repos git repository
- fedora-repos RPM on kojipkgs
- fedora-repos RPM Fedora mirrors
- Fedora ISO images on Fedora mirrors
- Eventually DNSSEC protected from DNS

Also all recent Fedora keys were signed by me. So how many different
places do we need to make it secure? I am also very interested in making
this secure, but adding more random places to look does not help unless
people a actually looking there. And since you did not notice that I
signed the GPG keys, I guess you did not look much as well. Why would
unexperienced users spend so much time into verification? IMHO Fedora is
already doing a great job by providing HTTPS secured key downloads and
signing all stable releases.

Btw before suggesting what to provide, maybe think of the instructions
for users that would explain how to verify the keys and downloads. Then
we can also discuss whether or not this would really make sense for
unexperienced users.

Kind regards
Till
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux