Re: [atomic-devel] [CentOS-devel] CentOS Atomic Host SIG Proposal

[Jason Brooks <jbrooks redhat com>]

This is just a test image, totally unofficial. I expect the SIG eventually to distribute images with all the sorts of measures you suggest. 

For now, for enhanced trustability, I suggest people build their own.

Regards,

Jason

R P Herrold <herrold owlriver com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 25 Jul 2014, Jason Brooks wrote:

> I've uploaded [0] a test image for a Project Atomic [1] host 
> based on CentOS 7 [2], intended to help with the development 
> of an official CentOS 7 image as part of the CentOS Atomic 
> SIG [3]. ...

Jason, would you please be so kind as to Gnupg 'clearsign' [1] 
the SHASUM file with a key of record at the MIT keyserver, 
and hopefully endorsed by someone on the list at [2].  There 
are several Red Hatters and Fedorians

The security model for distributing these blogs is potentially 
broken as your initial post makes it.  

	-Hypothetically, a Dr Evil, or a MitM, could subvert 
	both the images and the SHASUM file.  

	- Transit is over a non SSL protected channel and so 
	subject to invisible MitM.  

	- I do not know the provenance of a un-named IP on 
	the internet.  

	- It is not clear how the distribution is maintained 
	or potentially shared with anonymous others

If the image was built by a scripted process, I would also 
appreciate seeing such automation scripting as well

Thanks, 

- -- Russ herrold

[1] http://orcorc.blogspot.com/2008/08/gnupg-few-minutes-on-using-detached-and.html
[2] https://pgp.mit.edu/pks/lookup?op=vindex&search=0x311875419B649644

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlPS0TkACgkQMRh1QZtklkROOgCgnivw1/qwrhYeIWKjvUFNI79M
Yx4An3WCPjLH9TZcH9ciM6z1OqIrSXMP
=MUkP
-----END PGP SIGNATURE-----
_______________________________________________
CentOS-devel mailing list
CentOS-devel centos org
http://lists.centos.org/mailman/listinfo/centos-devel