On Wed, 2013-08-21 at 22:20 +1000, Zenaan Harkness wrote: > On 8/21/13, Ralf Mardorf <ralf.mard...@alice-dsl.net> wrote: > > On Wed, 2013-08-21 at 13:38 +0200, Jochen Spieker wrote: > >> Essentially, you have a chicken and egg problem. > > > > Wrong! > > Subtle! > > > Keys usually are available by a keyserver you could trust, so for the > > first time you'll get the key this way. Such a package will update keys > > as long as the older keys still can be used. > > This makes sense, but aren't you just pushing the "chicken or egg" > problem to the keyserver? > > Ie, how do you trust the keyserver? > > If this 'problem' were not the case, then why does not the packages > pre-depends on -keyring, and automatically install it first, without > any security problems, and without any warning to user? > > Surely if this were possible, that's what would be done?
If you download the key from the keyserver, than you'll only get a key. If you download the package with the key or keys, than you'll get a package. On the data highway on the Internet, from the server to you, the package might get corrupted and perhaps doesn't include a key, but malicious software. So getting a key from a keyserfer first IMO is safer. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1377088704.1192.82.camel@archlinux