On 2013-09-20 10:46:47 -0400 (-0400), Mike Spreitzer wrote: > What's the threat model here?
I'm not sure I understand the question... one goal is to provide a stronger assurance chain from the point of release (designated by the OpenPGP-signed tags we already use in our Git repositories) to the actual release artifacts (published tarballs, checksums, release announcements). Another is to broaden the verifiability of statements made by project members acting in any sort of official capacity (which we also already sign with OpenPGP keys). There is no single threat model being addressed by the web of trust itself, but rather its existence provides us with additional tools to strengthen the ways in which we address a variety of potential threats to the project and our users (tampered source repositories, maliciously modified downloads, forged statements/announcements and so on). -- Jeremy Stanley
signature.asc
Description: Digital signature
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
