On 01/07/15 18:24, Jonathan Hermann wrote: > Just thinking out loud: if Marc-André's purpose is to validate content that > was downloaded via insecure http, then a gpg key downloaded via insecure > http is somewhat pointless. I mean, statistically, chances are a bit better > that only one of both connections gets manipulated (if at all), but still, > the whole process in itself is vulnerable.
However, even using https is not necessarily a great thing given the recent history of CA security and the general level of (mis)trust in centralised PKI systems these days. There's a nice LWN article on this issue from earlier this year on the whole issue (focused mainly on distros, but the issues are the same for any open source package): https://lwn.net/Articles/637595/ My feeling is that you have to set and clearly state the level of paranoia/threat that you are willing to try and work to address and try and avoid the temptation to go beyond that level (without updating your statement first). All the best, Chris -- Christopher Samuel Senior Systems Administrator VLSCI - Victorian Life Sciences Computation Initiative Email: [email protected] Phone: +61 (0)3 903 55545 http://www.vlsci.org.au/ http://twitter.com/vlsci ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
