On Mon, Feb 22, 2016 at 07:22:24PM -0000, Ralf Senderek wrote: > Yes, for people who look only in one place, the manipulated web server. > But that is the reason why the fingerprint has to pop up in different places > where it is hard to fake. Even if this one user can be tricked, others can > discover that the site is compromised if the fingerprint is independently recorded > many times elsewhere. You can already get the keys at various places: - Fedora website - physical DVDs - fedora-repos git repository - fedora-repos RPM on kojipkgs - fedora-repos RPM Fedora mirrors - Fedora ISO images on Fedora mirrors - Eventually DNSSEC protected from DNS Also all recent Fedora keys were signed by me. So how many different places do we need to make it secure? I am also very interested in making this secure, but adding more random places to look does not help unless people a actually looking there. And since you did not notice that I signed the GPG keys, I guess you did not look much as well. Why would unexperienced users spend so much time into verification? IMHO Fedora is already doing a great job by providing HTTPS secured key downloads and signing all stable releases. Btw before suggesting what to provide, maybe think of the instructions for users that would explain how to verify the keys and downloads. Then we can also discuss whether or not this would really make sense for unexperienced users. Kind regards Till -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
