On Mon, Mar 7, 2016 at 8:27 AM, Stephen John Smoogen wrote:
> On 7 March 2016 at 01:32, Ralf Senderek wrote:
>>> What would be proper other places to confirm the fingerprint?
>>
>> The following criteria might be reasonable:
>> - a place that has authority, that people might trust.
>> -
On Mon, 7 Mar 2016, Stephen John Smoogen wrote:
Hope that helps to find such places.
Not really. Everything above is subjective. In the past, when I have
looked for sites that meet such criteria no one agrees that the place
meets such criteria.
We put it in redhat.com and people who hate co
On 7 March 2016 at 01:32, Ralf Senderek wrote:
>> What would be proper other places to confirm the fingerprint?
>
> The following criteria might be reasonable:
> - a place that has authority, that people might trust.
> - a place that is hard to impersonate, that has some protection
>
On Thursday, February 25, 2016 09:29:26 PM Ralf Senderek wrote:
> On Thu, 25 Feb 2016, Dennis Gilmore wrote:
> > Which fingerprint? There is a number of keys
> >
> > Dennis
>
> The one you were referring to in your posting and which
> an ordinary user would verify with:
>
> gpg --list-keys --fin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Somewhere like archive.org too maybe -- again totally separate
inrastructure + it could be used as a un-official 'official' hash
vault for checking.
On 03/07/2016 08:27 AM, Matthew Miller wrote:
> On Mon, Mar 07, 2016 at 08:32:05AM -, Ra
On Mon, Mar 07, 2016 at 08:32:05AM -, Ralf Senderek wrote:
> > What would be proper other places to confirm the fingerprint?
> The following criteria might be reasonable:
> - a place that has authority, that people might trust.
> - a place that is hard to impersonate, that has some p
> What would be proper other places to confirm the fingerprint?
The following criteria might be reasonable:
- a place that has authority, that people might trust.
- a place that is hard to impersonate, that has some protection
against unauthorized use
- a place that is visib
On Thu, Feb 25, 2016 at 09:29:26PM +0100, Ralf Senderek wrote:
> PS: if you had a long-term signing key it would be its fingerprint.
How would an ordinary user use a long-term singing key?
Kind regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/
On Thu, Feb 25, 2016 at 08:05:59PM +0100, Ralf Senderek wrote:
> Thank you for providing this valuable information about the handling
> of the private key that enables Fedora ISO signing. This information
> should be shared and highlighted as it is helping to create trust in
> the use of this key.
On Thu, 25 Feb 2016, Dennis Gilmore wrote:
Which fingerprint? There is a number of keys
Dennis
The one you were referring to in your posting and which
an ordinary user would verify with:
gpg --list-keys --fingerprint 81B46521
Ralf
PS: if you had a long-term signing key it would be its f
On Thursday, February 25, 2016 08:05:59 PM Ralf Senderek wrote:
> On Thu, 25 Feb 2016, Dennis Gilmore wrote:
> > No one has access to the private key. It lives on a server that has no
> > services running that listen for connections. There is a service that
> > runs
> > on
> > it that talks to
On Thu, 25 Feb 2016, Dennis Gilmore wrote:
No one has access to the private key. It lives on a server that has no
services running that listen for connections. There is a service that runs
on
it that talks to the signing bridge. That brokers all requests. Users with
access do not know the p
On Tuesday, February 23, 2016 10:18:49 PM Ralf Senderek wrote:
> On Tue, 23 Feb 2016, Till Maas wrote:
> > I used my access to the signing server to verify the key before signing
> > it. But why is confirming the fingerprint here a step forward? Why would
> > someone search in this mailing list for
On Tue, 23 Feb 2016, Till Maas wrote:
I used my access to the signing server to verify the key before signing
it. But why is confirming the fingerprint here a step forward? Why would
someone search in this mailing list for the fingerprint of the gpg key?
FWIW, the signing server just gave me a
On Tue, Feb 23, 2016 at 08:13:59PM +0100, Ralf Senderek wrote:
>
> On Tue, 23 Feb 2016, Till Maas wrote:
>
> > You can already get the keys at various places:
> >
> > - Fedora website
> > - physical DVDs
> > - fedora-repos git repository
> > - fedora-repos RPM on kojipkgs
> > - fedora-repos RPM F
On 23 February 2016 at 12:13, Ralf Senderek wrote:
>
> On Tue, 23 Feb 2016, Till Maas wrote:
>
>> You can already get the keys at various places:
>>
>> - Fedora website
>> - physical DVDs
>> - fedora-repos git repository
>> - fedora-repos RPM on kojipkgs
>> - fedora-repos RPM Fedora mirrors
On Tue, 23 Feb 2016, Till Maas wrote:
You can already get the keys at various places:
- Fedora website
- physical DVDs
- fedora-repos git repository
- fedora-repos RPM on kojipkgs
- fedora-repos RPM Fedora mirrors
- Fedora ISO images on Fedora mirrors
- Eventually DNSSEC protected from
On Mon, Feb 22, 2016 at 07:22:24PM -, Ralf Senderek wrote:
> Yes, for people who look only in one place, the manipulated web server.
> But that is the reason why the fingerprint has to pop up in different places
> where it is hard to fake. Even if this one user can be tricked, others can
> dis
On Tue, 23 Feb 2016 18:01:29 +0100
Till Maas wrote:
> On Tue, Feb 23, 2016 at 06:23:13AM -0700, Kevin Fenzi wrote:
> > On Mon, 22 Feb 2016 19:45:03 +
> > Gregory Maxwell wrote:
>
> > > I don't think there is any utility in pointing people to a
> > > keyserver here.
> >
> > I think it w
On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote:
> They key itself should come with signatures. That it doesn't is weird
> and inconvenient. If it came with a single signature by a long lived
> key used for the purpose of authenticating keys, it would go a log
> way.
The gpg tool
On Tue, Feb 23, 2016 at 06:23:13AM -0700, Kevin Fenzi wrote:
> On Mon, 22 Feb 2016 19:45:03 +
> Gregory Maxwell wrote:
> > I don't think there is any utility in pointing people to a keyserver
> > here.
>
> I think it would allow them to check signatures against their web of
> trust.
Since
On Mon, 22 Feb 2016 19:45:03 +
Gregory Maxwell wrote:
> New users are stateless and little can be done there; at least not
> right now when pre-textual security procedures' like Fedora's are
> ubiquitous and thus can't be taken as a clear sign of compromise.
Right.
> Existing users are anot
On Tue, 23 Feb 2016 04:12:41 +
Zbigniew Jędrzejewski-Szmek wrote:
> On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote:
> > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi
> > wrote:
> > > My point was that you can get the signatures off the key from the
> > > keyserver and see i
On 02/22/2016 05:34 PM, Stephen John Smoogen wrote:
On 22 February 2016 at 13:00, Ralf Senderek wrote:
The Fedora team could get a profile and verify the key(s) through
github, the Fedora and Red Hat web sites, the Fedora magazine twitter
account, and by having the Fedora team all sign public
Am Mon, 22 Feb 2016 09:29:37 -0700
schrieb Kevin Fenzi :
> On Sun, 21 Feb 2016 23:21:58 +0100
> Jens Lody wrote:
>
> > This can also be done before clicking the link-button, or the
> > download splash is also shown without javascript. This should not
> > be too hard to implement.
>
> https://
On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote:
> On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi wrote:
> > My point was that you can get the signatures off the key from the
> > keyserver and see if any of them are someone you trust. If not, are
> > they connected to someone you tru
For what it is worth, not signing the key is bug 1043276:
https://bugzilla.redhat.com/show_bug.cgi?id=1043276
> Date: Mon, 22 Feb 2016 19:47:51 +
> From: Gregory Maxwell
> Subject: Re: More prominent link to verification hashes
> To: Development discussions relat
On 22 February 2016 at 13:00, Ralf Senderek wrote:
>
>> The Fedora team could get a profile and verify the key(s) through
>> github, the Fedora and Red Hat web sites, the Fedora magazine twitter
>> account, and by having the Fedora team all sign publicly.
>
> Every little helps. The important step
> The Fedora team could get a profile and verify the key(s) through
> github, the Fedora and Red Hat web sites, the Fedora magazine twitter
> account, and by having the Fedora team all sign publicly.
Every little helps. The important step would be if the Fedora devs state the
fingerprints in a
On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi wrote:
> My point was that you can get the signatures off the key from the
> keyserver and see if any of them are someone you trust. If not, are
> they connected to someone you trust (hey, look, web of trust). I think
> expanding the web of trust on the
On Mon, Feb 22, 2016 at 6:35 PM, Kevin Fenzi wrote:
> Well, I agree the instructions could do better, but how would that help
> if the site was compromised? The attackers would write their own
> instructions.
>
> In addition to the verify link, the https://getfedora.org/en/keys/faq/
> needs a good
On Mon, 22 Feb 2016 19:22:24 -
"Ralf Senderek" wrote:
> > If the site is compromised, most bets are off sadly.
>
> Yes, for people who look only in one place, the manipulated web
> server. But that is the reason why the fingerprint has to pop up in
> different places where it is hard to f
On 02/22/2016 02:22 PM, Ralf Senderek wrote:
If the site is compromised, most bets are off sadly.
Yes, for people who look only in one place, the manipulated web server.
But that is the reason why the fingerprint has to pop up in different places
where it is hard to fake. Even if this one use
> If the site is compromised, most bets are off sadly.
Yes, for people who look only in one place, the manipulated web server.
But that is the reason why the fingerprint has to pop up in different places
where it is hard to fake. Even if this one user can be tricked, others can
discover that the
On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote:
> On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik
> wrote:
> > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO
> > download images.
> >
>
> Since Fedora looks to be moving to Live USB Creator (maybe Fedora
On Mon, 22 Feb 2016 18:21:04 -
"Ralf Senderek" wrote:
> While signing new keys with old release keys would certainly help to
> make the attacker's job harder, it doesn't solve the trust problem.
I don't think it even makes their job harder.
> The one thing people would have to check is th
On Mon, 22 Feb 2016 16:48:29 +
Gregory Maxwell wrote:
> On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik
> wrote:
> > One has to jump into the installation guide, in order to find a
> > buried link to https://getfedora.org/verify
>
> The instructions here have you download a set of PGP ke
> On Sun, Feb 21, Gregory Maxwell wrote:
> The Fedora 24 key inside it is not signed by any other key.
...
> Authenticating keys is hard in general; but existing fedora users
> should at least be able to trust-on-first-use chain from earlier keys
> to later ones-- assuming the fedora keys are ke
On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik wrote:
> One has to jump into the installation guide, in order to find a buried link
> to https://getfedora.org/verify
The instructions here have you download a set of PGP keys from the
same https webserver which could have been compromised to give
On Sun, 21 Feb 2016 23:21:58 +0100
Jens Lody wrote:
> This can also be done before clicking the link-button, or the download
> splash is also shown without javascript. This should not be too hard
> to implement.
https://fedorahosted.org/fedora-websites awaits your ticket.
Bonus points for prop
Adam Williamson writes:
On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote:
> Am Sun, 21 Feb 2016 21:35:32 +
> schrieb Tom Hughes :
>
> >
> > On 21/02/16 21:31, Jens Lody wrote:
> >
> > >
> > > I don't see any hint about verification, if I go to the
> > > download-site from germany:
> > >
>
On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote:
> Am Sun, 21 Feb 2016 21:35:32 +
> schrieb Tom Hughes :
>
> >
> > On 21/02/16 21:31, Jens Lody wrote:
> >
> > >
> > > I don't see any hint about verification, if I go to the
> > > download-site from germany:
> > >
> > > https://getfedora.
Am Sun, 21 Feb 2016 23:08:23 +0100
schrieb Jens Lody :
> Am Sun, 21 Feb 2016 21:35:32 +
> schrieb Tom Hughes :
>
> > On 21/02/16 21:31, Jens Lody wrote:
> >
> > > I don't see any hint about verification, if I go to the
> > > download-site from germany:
> > >
> > > https://getfedora.org/de_
Am Sun, 21 Feb 2016 21:35:32 +
schrieb Tom Hughes :
> On 21/02/16 21:31, Jens Lody wrote:
>
> > I don't see any hint about verification, if I go to the
> > download-site from germany:
> >
> > https://getfedora.org/de_CH/workstation/download/
> >
> > There's just a button, that directly downlo
Am Sun, 21 Feb 2016 10:36:37 -0700
schrieb Kevin Fenzi :
> On Sun, 21 Feb 2016 09:32:46 -0500
> Sam Varshavchik wrote:
>
> > So, I see that someone hacked Linux Mint, and slipped in some
> > trojaned ISO download images.
> >
> > As a curiousity, I went to https://getfedora.org, to see how easy
On 21/02/16 21:31, Jens Lody wrote:
I don't see any hint about verification, if I go to the download-site from
germany:
https://getfedora.org/de_CH/workstation/download/
There's just a button, that directly downloads the iso.
You must have javascript disabled for getfedora.org then - if it
On Sun, Feb 21, 2016 at 01:43:54PM -0500, Matthew Miller wrote:
> On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote:
> > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik
> > wrote:
> > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO
> > > download images.
>
On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote:
> On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik
> wrote:
> > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO
> > download images.
> Since Fedora looks to be moving to Live USB Creator (maybe Fedora
> Media
On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik wrote:
> So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO
> download images.
>
Since Fedora looks to be moving to Live USB Creator (maybe Fedora
Media Writer, TBD) as the primary download for Fedora 24, I wonder if
the new
On Sun, 21 Feb 2016 09:32:46 -0500
Sam Varshavchik wrote:
> So, I see that someone hacked Linux Mint, and slipped in some
> trojaned ISO download images.
>
> As a curiousity, I went to https://getfedora.org, to see how easy it
> is to find instructions for verifying the downloaded images.
>
> I
50 matches
Mail list logo
