[openstack-dev] PGP key signing party during the HK summit
Jeremy Stanley
fungi at yuggoth.org
Fri Sep 20 15:34:15 UTC 2013
On 2013-09-20 10:46:47 -0400 (-0400), Mike Spreitzer wrote:
> What's the threat model here?
I'm not sure I understand the question... one goal is to provide a
stronger assurance chain from the point of release (designated by
the OpenPGP-signed tags we already use in our Git repositories) to
the actual release artifacts (published tarballs, checksums, release
announcements). Another is to broaden the verifiability of
statements made by project members acting in any sort of official
capacity (which we also already sign with OpenPGP keys). There is no
single threat model being addressed by the web of trust itself, but
rather its existence provides us with additional tools to strengthen
the ways in which we address a variety of potential threats to the
project and our users (tampered source repositories, maliciously
modified downloads, forged statements/announcements and so on).
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130920/f4dec4f7/attachment.pgp>
More information about the OpenStack-dev
mailing list