intrigeri:
> sajolida@??? wrote (07 Apr 2014 19:17:00 GMT) :
>> I'm not sure to get what is your proposal here. Are you suggested to
>> have Tails Installer packaged for Debian and Ubuntu?
>
> Yes.
>
>> This could be a scenario:
>
>> 1. The user installs the tails-installer package.
>> 2. The user Tails Installer.
>> 3. Tails Installer adds a Tails signing key included in the package to
>> the user's keyring and provide info about how to verify it better.
>> 4. Tails Installer downloads the latest ISO image.
>> 5. Tails Installer verifies the ISO image with the signing key found in
>> the user's keyring.
>> 6. Tails Installer installs the ISO image onto a USB stick.
>> 7. The user restarts on a fully operational Tails.
>
> That would be it, but I see no reason to use or modify the user's
> keyring. Using a dedicated keyring is safer.
The user might, either before, either after using the Installer, do
stronger verification on the signing key in her own keyring. For example
you might have a personal trust path or a local signature in your
personal keyring.
Maybe an alternative would be to combine both without modifying the
user's keyring:
1. Verify first with the signing key from the package
2. Also try to verify the ISO using the user's keyring
3. Compare both results and warn the user if they differ
