On Fri, Sep 05, 2008 at 08:17:48PM -0800, Jeff Spaleta wrote: > On Fri, Sep 5, 2008 at 5:09 PM, Todd Zullinger <tmz@xxxxxxxxx> wrote: > > 1) I don't know where you get the idea that one person that everyone > > trusts must sign the key for any signatures to be valid. That's not > > what the web of trust if about. > > Yes of course.. a chain of trust... i mispoke. Let me be more > deliberate. A single signature that everyone ends up trusting through > their own personal chains of trust. I don't really think one signature > is going to suffice for everyone who cares about this to the point of > requesting detected signatures be included with the key in the > package. If Jesse signs it and posts that signature to the key server > is that going to suffice for everyone who needs signature assurance? > Is Jesse really in everyone's web of trust? I don't normally read this list, so pardon the late comment. I feel that posting the new package signing key information far and wide is a fine method to distribute it, and additional signatures on it are not strictly necessary. However, if it would help smooth adoption, I'd be happy to trade signatures with anyone who is in a position to sign the new package signing key (for obvious reasons, I cannot sign it myself). I'm one of the GnuPG developers, and as such, a copy of my key is in /usr/share/doc/gnupg-1.4.x/samplekeys.asc on any system that has gnupg-1.4 installed. It's a key that many (most?) Fedora users already have, and had before this current problem even started. This doesn't mean people should necessarily trust my key, of course, but it does serve as a pretty effective pre-distributed key that can be leveraged for this as its very wide distribution would make it difficult to replace out from under someone without the mischief being very visible (much the same argument that also holds for the new package signing key, of course, except that my key is already widely distributed). As luck has it, I work around half an hour away from the Red Hat Massachusetts office. David
Attachment:
pgps3s0AtKHyE.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines