subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: Subversion 1.8 in RHEL/Centos repositories
Date Tue, 03 Nov 2015 13:54:36 GMT
Nico Kadel-Garcia wrote on Tue, Nov 03, 2015 at 06:06:18 -0500:
> On Mon, Nov 2, 2015 at 8:59 AM, Junek LeoŇ° <junek@oksystem.cz> wrote:
> > I would like to install Subversion 1.8 from native distribution repository
> > and wonder why it is not available…
> 
> My RPM building tools are published. I don't personally have a web
> service I can rely on sufficiently well to publish reliable, GPG
> signed RPM's and have high confidence that someone can't maliciously
> replace the repository, including a fake GPG key. Who checks the
> signature chain on website published GPG keys?

Even people who don't have a PGP trust path to your key will still be
protected from this attack if they do "key pinning", i.e., if they check
that "it's the same key as last time".

(So long as people don't re-pin to a new key when the key on the website
changes, of course.)

Mime
View raw message