Fedora Magazine - Pitch: GPG

Till Maas opensource at till.name
Mon Jan 11 17:38:29 UTC 2016 

Hi,

as a disclaimer: I am not so much experienced with marketing, but I have
some generic/technical ideas.

On Sun, Jan 10, 2016 at 03:56:59PM -0500, charles profitt wrote:
> I have put up an outline for a potential magazine article.
> 
> https://fedoramagazine.org/?p=11485&preview=true

Not sure, if you plan to address this, but here are some questions that
I would try to answer in such a posting:

* Why should I use GPG/why do I need it?
    * Despite protecting E-Mail and Jabber communication this should
      also mention protection of software. For example package
      maintainer should use it to verify the source code coming from
      upstream:
      http://pkgs.fedoraproject.org/cgit/rpms/youtube-dl.git/tree/youtube-dl.spec#n35

* How does Fedora use it?
    * IMHO one important fact about Fedora is that we protect nearly all
      deliverables with GPG, i.e. ISO images, VM images and RPMS. Only
      Fedora Rawhide is not always completely signed. See for example:
      https://getfedora.org/verify
    * Also FAS allows to store a GPG fingerprint to be able to recover
      an account in case of lost e-mail access and password. It
      currently say GPG key id, but it will be the fingerprint with the
      next release.
    * And GPG keys from FAS accounts are available via DNSSEC using the
      openpgpkey tool (in package hash-slinger)
    * maybe more?

* How do I manage GPG keys in RPM/DNF?
    * This would be something specific to Fedora that is not found in
      other guides.

Then there are important technical aspects, that one should consider:
* https://help.riseup.net/en/security/message-security/openpgp/best-practices
* https://evil32.com/

And other topics could be using smartcards/tokens to protect the key or
using GPG keys for SSH authentication.

Kind regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/marketing/attachments/20160111/1a70ad6b/attachment.sig>

More information about the marketing mailing list