From: "Jeff Spaleta" <jspaleta@xxxxxxxxx>
Sent: Friday, 2008, September 05 09:46
On Fri, Sep 5, 2008 at 5:59 AM, Bill Davidsen <davidsen@xxxxxxx> wrote:
This is a (hopefully) one-time problem, and therefore it probably doesn't
need a perfect, automated, runs-by-itelf solution. And my assumption has
been that some people at other repositories do personally know and
interact
with official people in the Fedora project, and that there is an
out-of-band
way to pass information to the people at some other repository.
Your assumption absolutely breaks the trust metric. Assume your wrong.
Assume
that 3rd party repositories are treated just like any other end-user
to Fedora...because they are just other end-users with absolutely no
special relationship. Assume that.. because that's how it stands.
Given the
nature of the problem, that could mean carrying a CD a hundred miles to
meet
with someone who is personally known to you from a presentation, etc,
etc.
It need not be pretty, let's assume that this is a one-time problem.
Are seriously telling us to wait to distribute keys to people so we
can get updates flowing again until someone has flown several hundred
miles and done the GPG key signing dance with a 3rd party repo
signatory and then flown back? Right now for this one time problem..
that is absolutely not worth it. Nor with that ever be worth it.
Especially since every single one of our users were already using a
key that didn't rely on a physical face-to-face 3rd party key signing
up to this point.
Suppose Fedora generates a new key. They can get it out there by putting
it on their website, in an update RPM, and in plain textual format in
the primary download sites. Then I as a user either trust that or find
I have to take a trip to somebody's office I know is authoritative for
Fedora and get the key on some portable media.
Now, I can also check the key if it is uploaded to all the mirrors the
same way. If I download from a large collection of sites and they all
are bit copies of each other then either the web of deceit is so large
we're all lost anyway or I have a good key.
So the focus of the discussion is silly. Trust is established once, in
some way. Use the same way again that satisfied you in the first place
and get on with life.
{^_^} <- betting the real problem is "infrastructure."
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines