Mailinglist Archive: opensuse-project (134 mails)

< Previous Next >
Re: [opensuse-project] Insecure openSUSE Downloads
On 02/29/2016 06:32 AM, Łukasz 'Cyber Killer' Korpalski wrote:
W dniu 29.02.2016 o 11:52, Carlos E. R. pisze:
On 2016-02-29 10:00, Łukasz 'Cyber Killer' Korpalski wrote:

But the checksums are pgp signed (inline pgp signature inside the sha256
ckecksum file), so as long as the user has the pubkey used for this
signature and uses it to verify the checksums, everything is fine. The
pubkey long fingerprint is noted on the main iso download page, not on
the mirrors pages.

But the PGP signatures, to be secure, need a web of trust. A separate
and trusted method to download and verify the keys themselves, and this
we don't have.

Probably a certified page with all keys used by the project for signing
downloads and builds.


Certified by who? Some commercial CA?

Does https://letsencrypt.org/ apply?


--
Regards,
Uzair Shamim
--
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
To contact the owner, email: opensuse-project+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages