Am 17.02.2015 um 14:22 schrieb Werner Koch <w...@gnupg.org>: > I do not think that it matters whether you pull using the git or the ssh > protocol. In both cases an active attacker can intercept the traffic > easily. Virtually nobody checks ssh host keys and how should they do it > given that I can't find its fingerprint easily on github. Thus you would only > see the "host key changed" warning in case this is not the first time > you connected to this github project (I assume they use different host > keys per project).
I do verify the fingerprint, and they are quite easy to find actually: https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/ First Google match for "GitHub SSH fingerprint". > After all it is not different from downloading tarballs - only 10 to 20% > of all downloads also download the signature file and for most projects > there is no signature file. Well, I guess you have to take into account that a lot of downloads are from packaging software like pkgsrc, FreeBSD ports, Gentoo portage, ArchLinux's makepkg, etc. Usually, these do download the signature and tarball once, verify it and then write a checksum to the Makefile / PKGBUILD / however it is called that is then verified. So I guess you can't easily map that to "Only x% of users check the downloaded tarball". I guess it's a lot more, it's just not all check it using the .sig. > For gnupg.org we assume that users of the repos closely watch out for > conflicts and verify the latest release tag. If there is a problem that > should be reported to a mailing-list (after verification that it is > really a conflict). > > git meanwhile allows to sign commits. If anyone knows a method to set a > different key for tagging and commits, I would soon start to sign each > commit. I use a smartcard based key for tagging but won't use that for > regular commits. git commit -S <keyID> You can just create an alias for that, I for example use git ci. -- Jonathan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
