-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Somewhere like archive.org too maybe -- again totally separate inrastructure + it could be used as a un-official 'official' hash vault for checking. On 03/07/2016 08:27 AM, Matthew Miller wrote: > On Mon, Mar 07, 2016 at 08:32:05AM -0000, Ralf Senderek wrote: >>> What would be proper other places to confirm the fingerprint? >> The following criteria might be reasonable: >> - a place that has authority, that people might trust. >> - a place that is hard to impersonate, that has some protection >> against unauthorized use >> - a place that is visible to many people with a need to verify. >> - a place that is known for publishing cross-checked, reliable information > > We could possibly add it somewhere on a Red Hat site, which I think > would fit all of these criteria in many people's eyes. Since it's > entirely separate infrastructure from Fedora's websites, that would > significantly raise the bar for any targetted website hacking. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJW3YRJAAoJEHeOgyS7CC5mMTkP/A7LqGO4H6KH/EQ3i/j2LG9M rDFZ0l6tfgG3bVebKI/kxrF4nV3EIDS7n77Fo79dX24xhHIQlabhzgDz6p2slhqu 1gjG0DExIYLgyyGvfWHFj253vq1fkYZMKftftLPQZxD4krnYAUtwpGaPkEN0q/gM swumcurdgcjlKUwHc195mcSMbE+2tNDJJ49hU44uYpKWtESajWXZ+n3EOvDsj+lj 2W3gdHpqrPJZbgTPtU8FWgmYQNq3ExDWp6Iayz2S2emeSoimjLJYCtrpPSXLRJBw WC0TZFbZs8cZ0lJy+QJQmpm0n4M0SYRxB2rAN2R3tQ3Ro/KRC0QcEP1Yvwq0QUCK IXiSp0QI3PftKl2SEbSdTKJW8dN0lM+Hd8ZT6EyqGWVHvlKnnaKbHCVJXzi3Acqc UngJtGcmEMubbW02Zkpd1Odk008kUDl4AeD9wuCtwKls+fkrKjJPktIiAL7EJcLL cSf/yYxHjw4GnSfPFkGVHEBmSZm6O3gpRh7jjdzECcBb1WQtLZ8l7iV3EJu16FWu B4TPyV8PxAbzwehR2ZsZIXH5vB/VMLihh+gzt28cenOc/gvgC/eYsd5kmEuRsL52 jDRnGSP27my8PJ/kzcvn5ldi30NtGigpll0Ff8isl0kjg66oJaax5ouJlHQpTmjQ D4HmOiouIBG/F91Izwfi =6G93 -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
