On 02/24/2017 10:41 AM, Kieran Colford wrote:
I agree that PGP everywhere is absolutely something to push for. On the other hand, not every developer is in the web of trust strong set
Which is why if you pedantically worship the web of trust strong set, PGP is kind of useless altogether, since you can never really trust it in practice. Or use TOFU.
and if you're downloading the package sources from Github then that's probably where you got the PGP key id from as well.
Or from any of the dozen other places you can find the developer's key. Particularly, their independent website (which is not GitHub). The fact that some users are stupid, is not an indictment against PGP.
An attacker who can highjack your TLS secured source download when you bump the package version could also have fed you a forged PGP key id when you first made the package. Upgrading to stronger checksums is only marginally less secure than using PGP.
What? The fingerprint is in the PKGBUILD which is downloaded via HTTPS from a second website which requires either breaking the HTTPS security model or violating multiple (presumably) secure channels, and is also easily cross-verified against multiple independent sources. PGP operates on a completely different conceptual landscape than checksums, and is *always*, no matter what, more "secure" than checksums. Once again, the existence of stupid users is not an indictment against PGP, and the fact that in cherry-picked situations PGP fails to live up to its end-user promise, is not an indictment either. PGP tells us a lot of things. It tells us the source is authorized by the same person who authorized multiple previous releases. It tells us the source is the one the AUR maintainer used. It tells us that someone who can be *absolutely* identified is the same person who did X and said X, on various mailing lists, websites, and partial PGP trust models. It tells us that we are still getting our sources from the same person we got them from last week/month/year. The fact that its mere existence is not a magic talisman saying everything is wonderful, fine and safe... is not news, and is not a problem either, since no one ever said that is what it was supposed to do. tl;dr The sky is not falling. -- Eli Schwartz