Secrecy and user trust
tmz at pobox.com
Thu Sep 4 17:37:05 UTC 2008
> I'm not sure whether *also* having the keys on other sites is so bad.
> If you take it like the GPG model - countersigning and cross-checking
> through other sources that you also trust. If Livna, ATRPMs, and a few
> other usual repos had the same Fedora public key, you'd be more
> confident that the key you got from what you think is a real Fedora
> mirror, is the right one.
There certainly isn't anything stopping others from singing the Fedora
key (as can be seen by the number of signatures already¹. I do wonder
how many of those folks have met with the holder of the secret part of
the Fedora key for verifying the fingerprint.
Another issue with adding signatures to the key is that rpm has no
ability to check those signatures (I'm not even sure if it imports
a key with multiple signatures properly). Now that rpm is being more
actively developed and the lack of a key revocation feature has been
felt, maybe someone will submit some patches to add such features².
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
So its hurry! Hurry! Step right up, it's a matter of life or death
The sun is going down and the moon is just holding its breath.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 542 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20080904/d66592e3/attachment-0001.bin
More information about the users