SKS Keyserver Network Under Attack
Robert J. Hansen
rjh at sixdemonbag.org
Mon Jul 1 04:48:01 CEST 2019
> OK, that's great news. And I get from the HN thread that repository keys
> are updated via signed packages, with no calls to SKS keyservers. So I'm
> no longer freaking about that level of damage.
Eh. Yes. No. Hard to say. The problem is that many of these distros
allow third parties to run their own repositories under more permissive
rules, and some of these third parties are extremely popular. Plus,
often sysadmins will roll their own RPMs of packages: in such cases you
quickly lose the ability to say definitively what will or will not happen.
If the major distros update their distro signing certificates through
signed packages, great: that's good. But don't go thinking that means
you're out of the woods.
Whenever anyone gives you concrete yes-or-no, this will-or-won't happen
answers about a complicated ecosystem that has a ton of hidden bits that
can't be seen, that person most likely has misunderstood the problem.
More information about the Gnupg-users