-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 25 Jul 2014, Jason Brooks wrote:
I've uploaded [0] a test image for a Project Atomic [1] host based on CentOS 7 [2], intended to help with the development of an official CentOS 7 image as part of the CentOS Atomic SIG [3]. ...
Jason, would you please be so kind as to Gnupg 'clearsign' [1] the SHASUM file with a key of record at the MIT keyserver, and hopefully endorsed by someone on the list at [2]. There are several Red Hatters and Fedorians
The security model for distributing these blogs is potentially broken as your initial post makes it.
-Hypothetically, a Dr Evil, or a MitM, could subvert both the images and the SHASUM file.
- Transit is over a non SSL protected channel and so subject to invisible MitM.
- I do not know the provenance of a un-named IP on the internet.
- It is not clear how the distribution is maintained or potentially shared with anonymous others
If the image was built by a scripted process, I would also appreciate seeing such automation scripting as well
Thanks,
- -- Russ herrold
[1] http://orcorc.blogspot.com/2008/08/gnupg-few-minutes-on-using-detached-and.h... [2] https://pgp.mit.edu/pks/lookup?op=vindex&search=0x311875419B649644