On Fri, Sep 05, 2008 at 08:17:48PM -0800, Jeff Spaleta wrote:
> On Fri, Sep 5, 2008 at 5:09 PM, Todd Zullinger <[EMAIL PROTECTED]> wrote:
> > 1) I don't know where you get the idea that one person that everyone
> > trusts must sign the key for any signatures to be valid.  That's not
> > what the web of trust if about.
> Yes of course.. a chain of trust... i mispoke. Let me be more
> deliberate.  A single signature that everyone ends up trusting through
> their own personal chains of trust. I don't really think one signature
> is going to suffice for everyone who cares about this to the point of
> requesting detected signatures be included with the key in the
> package.  If Jesse signs it and posts that signature to the key server
> is that going to suffice for everyone who needs signature assurance?
> Is Jesse really in everyone's web of trust?

I don't normally read this list, so pardon the late comment.

I feel that posting the new package signing key information far and
wide is a fine method to distribute it, and additional signatures on
it are not strictly necessary.  However, if it would help smooth
adoption, I'd be happy to trade signatures with anyone who is in a
position to sign the new package signing key (for obvious reasons, I
cannot sign it myself).

I'm one of the GnuPG developers, and as such, a copy of my key is in
/usr/share/doc/gnupg-1.4.x/samplekeys.asc on any system that has
gnupg-1.4 installed.  It's a key that many (most?) Fedora users
already have, and had before this current problem even started.  This
doesn't mean people should necessarily trust my key, of course, but it
does serve as a pretty effective pre-distributed key that can be
leveraged for this as its very wide distribution would make it
difficult to replace out from under someone without the mischief being
very visible (much the same argument that also holds for the new
package signing key, of course, except that my key is already widely

As luck has it, I work around half an hour away from the Red Hat
Massachusetts office.


Attachment: pgpZVCDBC9hPA.pgp
Description: PGP signature

fedora-list mailing list
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Reply via email to