On 29/10/2007, Gilles Scokart <[EMAIL PROTECTED]> wrote: > > > > -----Original Message----- > > From: sebb [mailto:[EMAIL PROTECTED] > > > > Even if you can't establish a trust path, the PGP signature gives a > > bit more assurance than a hash. The KEY file should be in SVN, so you > > can ensure that the person that added the key to the KEY file was at > > least a committer to SVN. > > That's only for the users who have https access to SVN (and who can reliably > verify the SSH key of the server). The > others have to assume that server from which they are reading the KEY file is > the real one. >
Strictly speaking, yes. The KEY file can be downloaded without needing https access, but as you point out, this is not necessarily a guarantee of authenticity. However, it is one more obstacle that a hacker would have to surmount - they would have to subvert the SVN host as well as the main apache host holding the KEY file. > Gilles > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]