Allen Kistler wrote:
I have the same opinion of signing the page with the hashes. The
pages
that list the hashes for F12 are:
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
They are PGP-signed using *self-signed* keys listed in:
https://fedoraproject.org/static/fedora.gpg
One web page is signed using keys on another web page. So someone
1. Downloads the ISOs
2. Checks the hash vs. the web page
3. Checks the signature on the web page vs. a key on another web page
4. Cannot check the key
Unless you want people to:
4. Check the key vs. the one on the ISOs
which gets circular.
If we don't trust the page which has the hashes, why do we trust the
page which has the keys more? If someone can alter the ISOs and
then alter the published hashes to hide their tracks, why not alter
the published keys, as well? Ultimately I'm wondering what problem
we're solving by signing the web page in the first place.
Sign the hash page with a key which descends from a verifiable,
trusted root (even a key signed by the release manager would be
better than self-signed), or don't sign the page. I lean toward not
signing, and IRL I'm a paranoid security guy.
To be fair, the *-CHECKSUM files were only added to
https://fedoraproject.org/static/checksums/ recently (F-11). And they
are still widely available via mirrors and bit torrent. The GPG
signatures are quite useful for anyone downloading the CHECKSUM files
by those methods.
I don't mind that the GPG keys are role keys and are not signed by
(m)any other keys (though Jesse has signed some of them in the past).
Using SSL to get the keys seems reasonable to me. All trust has to
start somewhere.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL:
www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Some of the narrowest minds are found in the fattest heads.
-- Anonymous