It might be worth clarifying that, if you're using that keybase.pub website, you're trusting the Keybase server that hosts it to honestly serve the files. But if you run the Keybase client locally, and browse the same files under `/keybase/public/`, your client will check the signatures on everything, and you are not trusting the server.
That's an important clarification, and I would add: it's easier to trust when you can verify.
That is to say, the website is https, so I trust that the server I'm asking for the file is the same one that gives it to me. And since I can verify signatures locally, any time I choose, it would be hard for that server to get away with modifying file contents only when served through the site, sooner or later someone would catch them out at it.
But yes, if it's important, definitely get the files from a native client, CLI or GUI shouldn't matter.
> And since I can verify signatures locally, any time I choose, it would be hard for that server to get away with modifying file contents only when served through the site, sooner or later someone would catch them out at it.
That's only true if they lie to large numbers of people. If they just lie to a handful of people, who will ever know? (And you're probably not connecting through Tor, so there's a good chance they could know exactly who you are.)
> the website is https, so I trust that the server I'm asking for the file is the same one that gives it to me.
The time between them modifying the files and someone noticing isn't a trivial detail. It's the same idea behind 0-day exploits: perform an attack until someone catches you.
This would be a somewhat stronger argument if we knew someone was actually checking. Who's going to bother?
But in practice it doesn't seem very different from any other hosting site? I'm wondering if they use a CDN, how long they will be able to offer free hosting, and what happens when people start publishing controversial content through them?
