Hi Goswin, On Mon, Jun 23, 2008 at 01:07:38AM +0200, Goswin von Brederlow wrote: > For example: Each repository puts its keyring into Release.keyring > (next to Release and Release.gpg). The Release.keyring could be listed > with checksum in Release so frontends know it is there and when it > changes.
personally I'm not sure if it is good at all to store the key on the server whose integrity is to be checked. In my opinion it would be neccessary to get the key from some trusted instance, because if I'm not well-integrated into the web of trust myself I cannot rely on the key beeing checkable by my own trust-net. > I'm not proposing that just any key should be silently accepted. Just > that it should be automatically fetched and independent of debs. I > already did run into a case where I could not update the keyring > package because the Release signature required the new keyring > package. I now understood. Its an interesting idea, I just think that some factors need to be worked out, because there should be a chance for the *average* user to understand if a key could possibly be trusted or not. (Not every user understands those web of trust thing and this is something that can't really be asked for). Best Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]