On Tue, Dec 15, 2020 at 01:24:58AM -0500, przemek klosowski via devel wrote: > ...snip... > > I see the need to self-validate against known-good images/repos, either by > checking online, or by leveraging the secure boot, somehow, Unfortunately I > can't think of a foolproof and transparent way of doing it. As it is, I > always try to google the key IDs/fingerprints and make sure that they > correspond to legit package signing keys, but it's all so manual. Yeah, there has to be an anchor for your trust. Right now that is "I trust the certificate authority that issued fedoraproject.org's cert". There has been discussion about doing something with the secure boot chain of trust, which would shift it to "I trust the people who made my pc". It's not a easy problem. Just look at bug 998. ;( kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
