On Tue, 23 Feb 2016 04:12:41 +0000 Zbigniew Jędrzejewski-Szmek <zbys...@in.waw.pl> wrote:
> On Mon, Feb 22, 2016 at 07:47:51PM +0000, Gregory Maxwell wrote: > > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi <ke...@scrye.com> > > wrote: > > > My point was that you can get the signatures off the key from the > > > keyserver and see if any of them are someone you trust. If not, > > > are they connected to someone you trust (hey, look, web of > > > trust). I think expanding the web of trust on the signatories of > > > the keys would help more than just trying to distribute the key > > > fingerprint "lots of places". > > > > They key itself should come with signatures. That it doesn't is > > weird and inconvenient. If it came with a single signature by a > > long lived key used for the purpose of authenticating keys, it > > would go a log way. Well, as mentioned somewhere else in this thread, sigul (our signing server) doesn't deal with signatures at all. So, we would have to pull those signatures from keyservers or sign it internally with only some small amount of keys or something. > Some older Fedora signing keys were signed by prominent Fedora persons > (up to F12 or so). If one has been to at least one Fedora key signing > party and has a WOT connection to one of thos persons, using the WOT > is the best ways to verify the keys one downloads from the web. It > would be great if we could resurrect this practice and have one or > more RelEng members and the Fedora Project Leader sign the Fedora PGP > keys and upload their signatures to public keyservers. Sure, I don't have any objection to this... kevin
pgpDg6NYNwALl.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
