Verification via the web of trust
andrewg at andrewg.com
Thu Mar 24 21:46:54 CET 2016
> On 24 Mar 2016, at 19:40, Doug Barton <dougb at dougbarton.email> wrote:
> But that's precisely my point. You have no idea what individual was actually responsible for signing the package you're downloading. It *could* be the same trusted package uploader that has signed the last few packages you grabbed, or it could be a nefarious individual who managed to get hold of Apache's secret key. My point is that there is no volume of signatures on or leading up to that key which will answer this question for you.
I don't see anyone on this thread arguing otherwise. All that I've claimed is that *some* trust path is better than none, as it provides a speed bump against *some* attacks. All security is just speed bumps in the end - if the NSA really wants to get you, they probably will.
Listing the attacks a particular measure *doesn't* cover (developer coercion!) doesn't tell us anything, particularly when a) nobody claimed that it did and b) no other practical measure covers them either.
> I didn't say that they are useless. I said that we have to be realistic about what their value is (and isn't).
Value is in the eye of the beholder. I did say that my effort was not worth the result. You said it was a fool's errand. I don't see how we are disagreeing on anything of substance.
More information about the Gnupg-users