This is just a test image, totally unofficial. I expect the SIG eventually to distribute images with all the sorts of measures you suggest. For now, for enhanced trustability, I suggest people build their own. Regards, Jason R P Herrold <herrold at owlriver.com> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 25 Jul 2014, Jason Brooks wrote: > I've uploaded [0] a test image for a Project Atomic [1] host > based on CentOS 7 [2], intended to help with the development > of an official CentOS 7 image as part of the CentOS Atomic > SIG [3]. ... Jason, would you please be so kind as to Gnupg 'clearsign' [1] the SHASUM file with a key of record at the MIT keyserver, and hopefully endorsed by someone on the list at [2]. There are several Red Hatters and Fedorians The security model for distributing these blogs is potentially broken as your initial post makes it. -Hypothetically, a Dr Evil, or a MitM, could subvert both the images and the SHASUM file. - Transit is over a non SSL protected channel and so subject to invisible MitM. - I do not know the provenance of a un-named IP on the internet. - It is not clear how the distribution is maintained or potentially shared with anonymous others If the image was built by a scripted process, I would also appreciate seeing such automation scripting as well Thanks, - -- Russ herrold [1] http://orcorc.blogspot.com/2008/08/gnupg-few-minutes-on-using-detached-and.html [2] https://pgp.mit.edu/pks/lookup?op=vindex&search=0x311875419B649644 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlPS0TkACgkQMRh1QZtklkROOgCgnivw1/qwrhYeIWKjvUFNI79M Yx4An3WCPjLH9TZcH9ciM6z1OqIrSXMP =MUkP -----END PGP SIGNATURE----- _______________________________________________ CentOS-devel mailing list CentOS-devel at centos.org http://lists.centos.org/mailman/listinfo/centos-devel