Secrecy and user trust

[Tim]

Bill Davidsen:
>> Suggestion: since the livna key is still secure (AFAIK) let them 
>> distribute the new Fedora key and sign the RPM.

Kevin Fenzi:
> That was suggested before, but it's not a great solution for several
> reasons: Not everyone has livna enabled. Having one repo publish keys
> for another seems wrong, especially when they are not officially
> connected. 

I'm not sure whether *also* having the keys on other sites is so bad.
If you take it like the GPG model - countersigning and cross-checking
through other sources that you also trust.  If Livna, ATRPMs, and a few
other usual repos had the same Fedora public key, you'd be more
confident that the key you got from what you think is a real Fedora
mirror, is the right one.

-- 
[tim at localhost ~]$ uname -r
2.6.25.14-108.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.