9 Feb
2015
9 Feb
'15
10:09 p.m.
Hello, today, I was asked for the first time whether I want to download a signing key. So far this was done using a "keyring" package, which, itself, was signed using a trusted key. How do you prevent MITM attacks? For me this seems like anyone, who can perform a MITM attack, can trick me into installing virtually any package as long as he signs it with a key somewhere available on a public keyserver. Of course I would be asked whether I want to import that key but how do I know if the key is really valid and trusted? My guess is that most users will just say "yes" in this case. For me this seems to be a big step backwards in terms of security. Please correct me if I'm wrong. Thanks in advance. Manuel