On Wed, 24 Sep 2003, Some Guy wrote: > This big branch of a thread started because I > suggested we distribute freenet via freenet before we > distribute linux distributions. How do SUSE, Red Hat, > Debian, ect make thier certificates? If it's good > enough for them, wouldn't it be good enough for us?
Debian uses a PGP keyring of all the developers, signing each others. PGP has a well-defined key and signature revocation scheme, so a lost key can be revoked and broken trust can be dealt with with signature revocation. It's not a perfect scheme, but since no single maintainer speaks for "Debian" with their signature, the whole project isn't compromised by a single key lost. Mind you, for the average user they don't even check the signatures on the packages. But if the whole thing were more automatic... --Dan
pgp00000.pgp
Description: PGP signature
_______________________________________________ Devl mailing list [EMAIL PROTECTED] http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/devl