On 26 August 2017 at 21:08, Laslo Hunhold <d...@frign.de> wrote: > On Fri, 25 Aug 2017 13:54:41 +0200 > Anselm R Garbe <garb...@gmail.com> wrote: >> Either that, or perhaps we can reinstate the old fashion of >> suckless.org/~user/ homedir. > > I gave it a bit more thought and realized that putting the keys all in > one place defeats the purpose of PGP. If the server is compromised, an > attacker would just have to additionally replace the keys in the > homedirs besides replacing the signed release-tarballs with fraudulent > ones that were signed with his "fraudulent" key.
There's nothing wrong to put public keys onto suckless.org, in addition to a range of other places incl. official key servers. It would be a very poor assumption to only base a trust model on public keys found at the same place as some signatures. BR, Anselm
