https://bugzilla.redhat.com/show_bug.cgi?id=1834731



--- Comment #25 from marco <mai...@live.de> ---
> packagers must be very careful when a release-signing key changes

Source12 simply downloads the key from https://bitcoin.org/laanwj-releases.asc
without checking the hash or fingerprint, so there is no way to detect changes.
What am I missing?

> To my slight surprise I found that the tarball from Github is identical to 
> the one on bitcoin.org (and on bitcoincore.org)

I think this is only a coincidence for the 0.20.0 release. All other releases
should not match, which is why I assumed the download sources are identical.

> I don't see any statement that Hockeypuck has a solution to the spam attack

Good point, personally I can recommend
https://keys.openpgp.org/vks/v1/by-fingerprint/01EA5486DE18A882D4C2684590C8019E36C2E964,
which claim to be resistant to those attacks (
https://keys.openpgp.org/about/faq#sks-pool )

Not sure, but keyserver.ubuntu.com might have solved the attack by disabling
key updates, which could lead to problems should the key ever be revoked.

Though generally, as long as the fingerprint matches, it should be possible to
download the key from any source with reliable uptime.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
_______________________________________________
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

Reply via email to