--- Comment #25 from marco <mai...@live.de> ---
> packagers must be very careful when a release-signing key changes
Source12 simply downloads the key from https://bitcoin.org/laanwj-releases.asc
without checking the hash or fingerprint, so there is no way to detect changes.
What am I missing?
> To my slight surprise I found that the tarball from Github is identical to
> the one on bitcoin.org (and on bitcoincore.org)
I think this is only a coincidence for the 0.20.0 release. All other releases
should not match, which is why I assumed the download sources are identical.
> I don't see any statement that Hockeypuck has a solution to the spam attack
Good point, personally I can recommend
which claim to be resistant to those attacks (
Not sure, but keyserver.ubuntu.com might have solved the attack by disabling
key updates, which could lead to problems should the key ever be revoked.
Though generally, as long as the fingerprint matches, it should be possible to
download the key from any source with reliable uptime.
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
package-review mailing list -- email@example.com
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct:
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines