On Fri, Sep 5, 2008 at 5:09 PM, Todd Zullinger <tmz@xxxxxxxxx> wrote: > 1) I don't know where you get the idea that one person that everyone > trusts must sign the key for any signatures to be valid. That's not > what the web of trust if about. Yes of course.. a chain of trust... i mispoke. Let me be more deliberate. A single signature that everyone ends up trusting through their own personal chains of trust. I don't really think one signature is going to suffice for everyone who cares about this to the point of requesting detected signatures be included with the key in the package. If Jesse signs it and posts that signature to the key server is that going to suffice for everyone who needs signature assurance? Is Jesse really in everyone's web of trust? > If Jesse Keating or other rel-eng folks with access to the private key > sign the key, it holds some weight as they are the folks that can > properly verify the key. It only holds weight if those with signing authority with the key also cross-sign their personal keys using the package signing key. The only way to verify access to the key is to sign with the key. So for this to mean anything at all, we'll need to get the people with signing authority to sign their personal gpg key with the signing key as well as sign the signing key with their personal key then submit both signatures to a public keyserver for verification or you'll not have any verifiable evidence that these people have access to the signing key at all. God forbid you take my word for it that Jesse or anyone else actually has signing authority. Without the cross-signing, you are just taking our collective word for who has access to the key. And there's no point in included the detached sigs unless we also include the personal signing keys and the associated cross-signatures. Again its just all more effectively done via public keyserver operations. If you can wait for it, I can try to make sure that the people with signing authority do the cross-signing with their personal keys and public keyserver publishing. But its not going to happen before the key is pushed out in the fedora-release package. This is probably a good topic for the next scheduled rel-eng meeting or FESCo meeting if it doesn't happen by then. -jef -jef -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
