nik gaffney <[EMAIL PROTECTED]> writes:
> In that case, an even more productive proposal would to be to track down the
> keys of any asdf packagers that are not in the web of trust provided by the
> common-lisp.net keyring.
Sorry for the late response here, but it should be noted that the
common-lisp.net keymaster key does not create a web of trust: the
signatures are sight-unseen, and only indicate that the key is
considered an opaque identity by clnet.
Steps to attack:
0. Generate a key for a fake persona.
1. Get a throwaway email account for the same persona.
2. Apply for a MUD client project on Common-lisp.net using the
email and the key.
3. Whine till your key is signed with the keymaster key.
4. Put evil code on cliki, signed with the supposedly trusty key.
To reiterate: the keymaster signature indicates only that the key is
associated with a common-lisp.net account, so that clnet can use it to
encrypt passwords for sending over email, verifying that the person on
the end of the email is the same person who originally got the
account, etc. It _does_not_ say that the person is identifiable, or
even known to be a generally decent person.
Building a real web of trust is not too hard, though, especially
if one is willing to piggyback on the Debian web of trust.
Cheers,
-- Nikodemus Schemer: "Buddha is small, clean, and serious."
Lispnik: "Buddha is big, has hairy armpits, and laughs."
_______________________________________________
Gardeners mailing list
[email protected]
http://www.lispniks.com/mailman/listinfo/gardeners
