On Thu, Apr 03, 2014 at 06:44:36AM +0400, Evgeny Kapun wrote: > 03.04.2014 00:50, Jonathan McDowell wrote: > > Public keyservers aren't expected to provide verification of key > > authenticity. The signatures on the keys themselves do that. The > > Debian Live CD key is signed by Daniel, whose key is then signed by > > many other DDs (and present in the debian-keyring package). If we > > pushed the Live CD role key to the debian-keyring package we're > > still assuming the user has access to a Debian box to install it and > > then also has a proper trust path (presumably via the shasums on the > > APT package lists and then the Debian archive signing key for those > > package lists) to that package. If they're not using a Debian box > > to write the live CD then none of these pieces help. > > > > In short putting the Live CD key in the debian-keyring package > > doesn't demonstrably solve the problem of verifying a Live CD that I > > can tell. > > Putting Live CD key in the debian-keyring package makes verification > MUCH easier. It would be just enough to run `gpgv --keyring > /usr/share/keyrings/debian-role-keys.gpg /path/to/SHA1SUMS.sig', > instead of having to find a signature made by the right key.
You're making an assumption that the key on the filesystem at /usr/share/keyrings/debian-role-keys.gpg is the right one, which relies on a whole extra chain of trust which I referred to above. J. -- I'm from the tax office. I'm here to take all your money. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org