> On 24 Mar 2016, at 19:40, Doug Barton <[email protected]> wrote: > > But that's precisely my point. You have no idea what individual was actually > responsible for signing the package you're downloading. It *could* be the > same trusted package uploader that has signed the last few packages you > grabbed, or it could be a nefarious individual who managed to get hold of > Apache's secret key. My point is that there is no volume of signatures on or > leading up to that key which will answer this question for you.
I don't see anyone on this thread arguing otherwise. All that I've claimed is that *some* trust path is better than none, as it provides a speed bump against *some* attacks. All security is just speed bumps in the end - if the NSA really wants to get you, they probably will. Listing the attacks a particular measure *doesn't* cover (developer coercion!) doesn't tell us anything, particularly when a) nobody claimed that it did and b) no other practical measure covers them either. > I didn't say that they are useless. I said that we have to be realistic about > what their value is (and isn't). Value is in the eye of the beholder. I did say that my effort was not worth the result. You said it was a fool's errand. I don't see how we are disagreeing on anything of substance. A _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
