non-disclosure of infrastructure problem a management issue?
Michael J Gruber
michaeljgruber+gmane at fastmail.fm
Thu Aug 21 13:21:57 UTC 2008
Alan Cox venit, vidit, dixit 21.08.2008 14:56:
>> If there is an issue severe enough which warrants stopping updates
>> (which indicates that rpm signing keys have been compromised) why
>> should we trust those fingerprints and servers?
>
> Because you have no other basis of trust at all if you don't believe
> the master keys ?
Exactly this is how I came to trust e.g. the rpm signing keys in the
first place: there was no other basis but to trust the master keys in a
"no news is good news" situation where everybody trusted them and no
problems arose. Now there is news - seemingly bad news - and there are
problems. Trust is easily lost but hard to restore. Debian folks can
tell you...
> Or you set up a new infrastructure and create the 'provisional fedora
> project' or whatever.
Don't trust me! ;)
Michael
More information about the users
mailing list