Fwd: Re: German ct magazine postulates death of pgp encryption

Stephan Beck stebe at mailbox.org
Tue Mar 3 13:54:01 CET 2015


Hi Peter,

as your message hasn't reached the list inspite of being addressed to it, I
resend it.

Thanks

Stephan


-------- Weitergeleitete Nachricht --------
Betreff: Re: German ct magazine postulates death of pgp encryption
Datum: Mon, 02 Mar 2015 18:53:57 +0100
Von: Peter Lebbing <peter at digitalbrains.com>
An: Stephan Beck <stebe at mailbox.org>, gnupg-users at gnupg.org

On 02/03/15 11:35, Stephan Beck wrote:
> Sticking to that "perfect position argument", in what kind of position are 
> (would be) the people that control (packaging of) your distro? (Just
> curious.)

I think they basically completely control my system. For individual Debian
Developers, it might need some ingenuity to get something sneaky on my
computer, since they generally only provide source, and the binaries are built
on the Debian infrastructure. Mind you, I say they need some ingenuity, that
is a far shot from "it's difficult". But the keys that the package manager
checks? If you have those, and can get my package manager to download your
stuff, it's trivial to change any file, any binary, any program on my computer.

It has occured to me that I probably could simply local-sign and fully trust
all OpenPGP keys of Debian Developers, since if the holder of said key wanted,
they could simply hardwire my GnuPG installation to effectively do the same
without my consent. But still, I haven't done it :).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150303/84c92fc9/attachment.sig>


More information about the Gnupg-users mailing list