Re: A repository changed its public key?
- From: houghi <houghi@xxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Jan 2008 13:06:19 +0100
birre wrote:
Since we must trust the distributor of our system, I should prefer that
they also update my system with the keys from the contributors they trust,
so I don't fall in the trap to trust a key from some false contributor.
Somebody who is good now can be bad tomorrow. Such is trust. The
question is how big the risk is.
I have not the skill to validate the keys, other then hope the site is intact
and the key is real.
Indeed, but that does not mean that the key can be trusted. However the
risks are minimal. At this moment the risk is more academic then real
life.
Many users of linux is trained by the windows software where they learn to click
on anything even if they have no chance to know what to answer.
I is very well trained to do the same thing in Linux. This has nothing
to do with Linux or Windows. It has everything to do with human nature.
It also can have something to do with liability, like the stoopid
sticker on many apliences to warn you for idiotic things.
Like the antivirus program say they have virus, and are asked if they will
remove it. (yes or no) , and they call me.
I ask them "what program ask that", and they say, "I don't know"
So, maybe it was the virus itself or the antivirus program, who know.
Or hitting [ENTER] after `rm -rf b[tab]` and then realizing that you are
root AND in / and not a user in ~/tmp/. What I have done is put the -rf
at the end of the command.
Also there are other times in Linux that I ignored popups and warnings.
I am now using Linux for several years, so I can not blame Windows for
my behaviour anymore.
It must not be like this with keys, someone we trust must trust them first so
we don't get fooled so easy.
That depends on what risks you are willing to take. As a homeuser or
small business, there is no problem. However if you so desire, you can
meet people in real life who can then sign keys. On FOSDEM there is such
a keysigning each year.
As I do want to keep my internet name as much seperated as my real life
alter ego, I can not produce any papers confirming who I am, whitout
making a link between the two.
That means you can NEVER completely trust me to be me, even when I give
you my public key.
The problem with risk is that people can not understand what risk realy
is, even if you give them the numbers.
The risk of getting killed by a tarffic accident is much, much higher
then being killed in a terrorist attack. Yet the amount spend on one is
much, much higher and has a much greater inmpact then on the other.
As long as we can not say that a risk is 0, people will use it to scare
people into doing stupid things.
That all said, it is good that the GP asked the question. He was
uncertain and seeked confirmation. He did not pannick with "OMG!!!! I
AM HACKED!!1!!" He just looked for confirmation in a situation that
could be strange.
The first time I has such a thing happening was when i re-installed a
machine and my ssh connnections started to give errors.
houghi
--
Theologians can pursuade themselves of anything. Anyone who can worship
a trinity and insists that his religion is a monotheism can believe
anything -- just give him time to rationalize it.
Robert A. Heinlein, JOB: A Comedy of Justice
.
- References:
- A repository changed its public key?
- From: Nikos Chantziaras
- Re: A repository changed its public key?
- From: Michael Soibelman
- Re: A repository changed its public key?
- From: Andreas
- Re: A repository changed its public key?
- From: houghi
- Re: A repository changed its public key?
- From: birre
- A repository changed its public key?
- Prev by Date: Re: A repository changed its public key?
- Next by Date: Re: A repository changed its public key?
- Previous by thread: Re: A repository changed its public key?
- Next by thread: Re: A repository changed its public key?
- Index(es):
Relevant Pages
|
