https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #25 from marco <maic23@xxxxxxx> --- > packagers must be very careful when a release-signing key changes Source12 simply downloads the key from https://bitcoin.org/laanwj-releases.asc without checking the hash or fingerprint, so there is no way to detect changes. What am I missing? > To my slight surprise I found that the tarball from Github is identical to the one on bitcoin.org (and on bitcoincore.org) I think this is only a coincidence for the 0.20.0 release. All other releases should not match, which is why I assumed the download sources are identical. > I don't see any statement that Hockeypuck has a solution to the spam attack Good point, personally I can recommend https://keys.openpgp.org/vks/v1/by-fingerprint/01EA5486DE18A882D4C2684590C8019E36C2E964, which claim to be resistant to those attacks ( https://keys.openpgp.org/about/faq#sks-pool ) Not sure, but keyserver.ubuntu.com might have solved the attack by disabling key updates, which could lead to problems should the key ever be revoked. Though generally, as long as the fingerprint matches, it should be possible to download the key from any source with reliable uptime. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
