Secrecy and user trust

[Ed Greshko]

Les Mikesell wrote:
> Ed Greshko wrote:
>>
>>> What's the point of having the key at all if you implicitly trust the
>>> delivery mechanism of the RPM packages?
>> Good approach, answer a question with another question.
>>
>
> If you can't say why you need the key in the first place, there isn't
> much hope of seeing why you need a different reason to trust the key
> than the content it verifies.
>
Bzzzzttt...  Wong!  You are attacking the current system and it is
incumbent on you to prove your points. 

I can't help but to see the irony in that those clamoring for "explicit
details" from the Fedora folks as to the nature, methods, damage
inflicted on the Fedora infrastructure are so devoid of details on how
their attack vector would work.  Their scenario amounts to...generate a
fake key pair, fool people in accepting it, sign compromised packages,
fool people into downloading and installing them...take over their systems.

<comic aside>
There is a much easier way to achieve the above.  Trick people into
installing Microsoft products.
</comic aside.

-- 
The onset and the waning of love make themselves felt in the uneasiness
experienced at being alone together. -- Jean de la Bruyere