Nico Kadel-Garcia wrote on Tue, Nov 03, 2015 at 06:06:18 -0500: > On Mon, Nov 2, 2015 at 8:59 AM, Junek Leoš <ju...@oksystem.cz> wrote: > > I would like to install Subversion 1.8 from native distribution repository > > and wonder why it is not available… > > My RPM building tools are published. I don't personally have a web > service I can rely on sufficiently well to publish reliable, GPG > signed RPM's and have high confidence that someone can't maliciously > replace the repository, including a fake GPG key. Who checks the > signature chain on website published GPG keys?
Even people who don't have a PGP trust path to your key will still be protected from this attack if they do "key pinning", i.e., if they check that "it's the same key as last time". (So long as people don't re-pin to a new key when the key on the website changes, of course.)
