Em 14-03-2014 07:20, Alexander Hall escreveu: >> On 3/14/14 5:09 AM, Jean-Philippe Ouellet wrote:> Hello, >>> ... >>> Anyway... we have signfiy now and the FAQ still says otherwise. >> Oh, I forgot these: >> >> tedu's backport >> http://www.tedunangst.com/flak/post/signify-backport >> >> my osx "port" >> https://github.com/jpouellet/signify-osx > I'm not sure what value this adds. Downloading pubkeys from some > (semi-)random location does not really give additional security. Sure, > maybe no less either, and making attacks slightly more complicated, but > still. > > /Alexander > This is what I do. Download from different clients using different mirrors, using proxies, different dns servers, etc. The initial trust always is the hard part and there is no real solution for it. If the black suits are after you, you'll eventually fall. Since signify will include the keys for the current and the next release, the initial trust is the key point. At least you don't have to keep getting keys every release cycle. Or, if you are paranoid, you do it anyway.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
