On Wed, 23 Aug 2017 22:29:17 +0200 Markus Teich <markus.te...@stusta.mhn.de> wrote:
> Mattias Andrée wrote: > > If the server's authenticity can be proven with HTTPS, > > what additional secure does PGP-signatures provide? > > Some people trust persons they know more than they trust random corporations > with questionable security policies. Other people think PGP sucks. I don't > know > which group has the majority in the suckless community, thus I asked for a > gentle vote by flamewar. > > I count myself to the PGP proponents, but have to admit, that I might be too > lazy to check the PGP signatures myself. > > --Markus > In general PGP is good (of course, cryptography inherently sucks, but that's something we have to live with it), but it's just a hassle when in comes to software packages. There a few things to take into consideration when deciding what do here: * The number of people that actually know the developers of a individual package is negligible, so there isn't actually anyone that the users can trust. * It's probably easier to trust the developers than suckless itself. * If a user verifies that there is no history of malice up to a signed release, the user can to some extent trust the developer and the developer's signature can be used to verify that no one else on suckless cause the server to upload a malicious version. * An alternative to signature files is to sign the tags in Git, and those that care enough could pull releases from git instead. * Signature files allows all developers, not just the owner, to sign the release. * If signature files are added, people will probably make packages in repositories, such as the AUR, check the signature which can be a burden on the users which must add the developer's key to the keyring or disable signature checks. * If someone with root access to the suckless servers want to replace a release, he can serve the genuine version of the site to everyone who has connected to the server previously, and server a malicious version to new visitors, and have the PGP keys changed. * If a developer publishes a release, only root and that developer should be able to replace the release. * So do PGP keys actually add any security if have HTTPS, or do they just give a false sense of security.
