[Nix-dev] [yui at cock.li: Re: Malicious installation methods]

Kevin Cox kevincox at kevincox.ca
Fri Jun 17 17:52:38 CEST 2016


On 17/06/16 11:40, zimbatm wrote:
> 
> I agree. For GPG to be implemented properly, the key must be distributed
> separately from the content. The goal is to make the attack more
> expensive by forcing the attacker to compromise multiple communication
> channels. And the key fingerprint must be in the long form to mitigate
> potential collision attacks.
> 

Yes, this is the trick. Put the signing key EVERYWHERE. Sign it by the
Nix maintainers and stick their keys everywhere as well. Then you verify
it with as many different channels as you like. Go to a conference, read
the website, different blog posts, ask a friend...

Just putting the key on the website besides the installer isn't much
better for the first time user, and definitely don't auto-import the key
because that will remove the benefit from repeat users as well.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/f46e57c8/attachment-0001.sig>


More information about the nix-dev mailing list