For what it is worth, not signing the key is bug 1043276: https://bugzilla.redhat.com/show_bug.cgi?id=1043276
> Date: Mon, 22 Feb 2016 19:47:51 +0000 > From: Gregory Maxwell <gmaxw...@gmail.com> > Subject: Re: More prominent link to verification hashes > To: Development discussions related to Fedora > <devel@lists.fedoraproject.org> > Message-ID: > <CAAS2fgSKZkOQQY=dw4-bslqr66enwmxhbpv5sasg6sbkmce...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi <ke...@scrye.com> wrote: >> My point was that you can get the signatures off the key from the >> keyserver and see if any of them are someone you trust. If not, are >> they connected to someone you trust (hey, look, web of trust). I think >> expanding the web of trust on the signatories of the keys would help >> more than just trying to distribute the key fingerprint "lots of >> places". > > They key itself should come with signatures. That it doesn't is weird > and inconvenient. If it came with a single signature by a long lived > key used for the purpose of authenticating keys, it would go a log > way. >
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
