|
|
|
|
|
|
by leni536
3222 days ago
|
|
|
> Consider the case where download.docker.com starts serving an evil key file At that point I can't trust the key ID in the docker documentation either. Since Docker doesn't use web of trust (who does honestly?) there is no way that I can verify the key ID in any way in the provided key file. So I don't know how it does any good inspecting the key file before adding it to the apt keyring. |
|
|