tarball signing
Sandro Knauß
knauss at kolabsys.com
Fri Jun 3 22:18:44 UTC 2016
Hey,
> Does that really fix anything if noone has my gpg key in the
> trusted/validated signatures area? How do they know it's me that signed the
> package and not some hacker that got access to the server and did sign the
> tarballs?
On the one side, if the privatekey is easy to grab, it does not help improving
security, but if the private key, lifes at only on a specifc secured computer
it would help a lot.
One major thing is that I can easily see, that it is the same key used as for
the release before. I can be sure, that nobody changed the tarballs at the
server after they were pushed. And this is realy a security issue, it happens
for other opensource projects. And also if I would create a gpgkey with the
same name, other would see, that a different key was used. We can publish the
release key website, keyserver make prints on akademy,...
So at first it is the tofu security model, but with time we can improve the
security.
Regards,
sandro
More information about the release-team
mailing list