On Fri, Sep 5, 2008 at 5:59 AM, Bill Davidsen <davidsen@xxxxxxx> wrote: > This is a (hopefully) one-time problem, and therefore it probably doesn't > need a perfect, automated, runs-by-itelf solution. And my assumption has > been that some people at other repositories do personally know and interact > with official people in the Fedora project, and that there is an out-of-band > way to pass information to the people at some other repository. Your assumption absolutely breaks the trust metric. Assume your wrong. Assume that 3rd party repositories are treated just like any other end-user to Fedora...because they are just other end-users with absolutely no special relationship. Assume that.. because that's how it stands. > Given the > nature of the problem, that could mean carrying a CD a hundred miles to meet > with someone who is personally known to you from a presentation, etc, etc. > It need not be pretty, let's assume that this is a one-time problem. Are seriously telling us to wait to distribute keys to people so we can get updates flowing again until someone has flown several hundred miles and done the GPG key signing dance with a 3rd party repo signatory and then flown back? Right now for this one time problem.. that is absolutely not worth it. Nor with that ever be worth it. Especially since every single one of our users were already using a key that didn't rely on a physical face-to-face 3rd party key signing up to this point. -jef -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
