It didn't just answer the question, it also has 277000000 alternative answers up it's sleeves. Truly impressive
hunter2
joined 1 year ago
Wait a minute, you guys got free time?
Also applies to all Apple (R) products.
Me too? ☺️
Why would it say Melon Collie then? Checkmate.
Where do you get the public key to verify the signature from? My point being, that you have to trust someone. I don't really see the benefit of trusting a key server, that the public key really belongs to the owner over a checksum file being published on the website of the owner.
Someone could've pushed a malicious compiler. Better write all the bits by hand.
What is the benefit of a gpg signature over a checksum? In either case you have to trust someone.
Sie haben den Job!
Bonuspoints if it keeps being borked after undoing the last change. Certified Microsoft moment 😎
Cat expert here. Yes a cat could.
Oh you are absolutely right about it being much harder to compromise the distro website as well as a key server. And as much as I am aware of the concept of the web of trust, I still do not get how you securely draw a relation between a key on a third party website and the publisher of a distro?
I just checked for OpenSuse and Fedora. Both link to their keys on their own website, which both target files on their own domain. And even if they linked to a third party, what is stopping an attacker, who already managed to swap the iso and checksum file to also change the link to the key server?
You are right about already imported keys. But why would someone, who does not already have distro xyz installed, have the keys of the publisher of distro xyz imported?
Thanks in advance for the discussion!