German ct magazine postulates death of pgp encryption

Peter Lebbing peter at digitalbrains.com
Mon Mar 2 18:53:57 CET 2015


On 02/03/15 11:35, Stephan Beck wrote:
> Sticking to that "perfect position argument", in what kind of position are 
> (would be) the people that control (packaging of) your distro? (Just
> curious.)

I think they basically completely control my system. For individual Debian
Developers, it might need some ingenuity to get something sneaky on my
computer, since they generally only provide source, and the binaries are built
on the Debian infrastructure. Mind you, I say they need some ingenuity, that
is a far shot from "it's difficult". But the keys that the package manager
checks? If you have those, and can get my package manager to download your
stuff, it's trivial to change any file, any binary, any program on my computer.

It has occured to me that I probably could simply local-sign and fully trust
all OpenPGP keys of Debian Developers, since if the holder of said key wanted,
they could simply hardwire my GnuPG installation to effectively do the same
without my consent. But still, I haven't done it :).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list