Hans-Christoph Steiner <hans@at.or.at> writes: >> In business, such things are confirmed (often badly) by independent >> audit. For a volunteer-driven community effort, we have to rely on >> everyone to exercise their best judgement in these sorts of matters. > > Debian could also get independent, professional audits. I think it > would be a good use of the Debian pot of money, for example. Or > someone could submit a proposal to get Debian audited. I'll be either > Open Tech Fund or NLnet would do it: > > https://www.opentech.fund/labs/red-team-lab/ > > Open Tech Fund already funds Tails, which is based on Debian. That would be useful for the important keys like the apt release keys, and would set an example for others to follow. If there are things to improve, it would be better if we know about them than allowing attackers to find out on their own. For DD keys, as Jemery noticed, I don't think it is useful: uses of DD keys leave a quite auditable flow already. /Simon
Attachment:
signature.asc
Description: PGP signature