On 17/06/16 11:40, zimbatm wrote: > > I agree. For GPG to be implemented properly, the key must be distributed > separately from the content. The goal is to make the attack more > expensive by forcing the attacker to compromise multiple communication > channels. And the key fingerprint must be in the long form to mitigate > potential collision attacks. >
Yes, this is the trick. Put the signing key EVERYWHERE. Sign it by the Nix maintainers and stick their keys everywhere as well. Then you verify it with as many different channels as you like. Go to a conference, read the website, different blog posts, ask a friend... Just putting the key on the website besides the installer isn't much better for the first time user, and definitely don't auto-import the key because that will remove the benefit from repeat users as well.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
