On Sun, 13 Dec 2009 12:23:03 -0500 Eric Morey <e...@glodime.com> wrote:
> On Sun, 2009-12-13 at 23:18 +1030, Karl Goetz wrote: > > On Sat, 12 Dec 2009 23:17:19 -0500 > > Eric Morey <e...@glodime.com> wrote: > > > Isn't a wiki an inherently bad place to post a PGP key? How could > > > I have any level of trust that it is the correct one? > > > > if it doesn't match whats signing package lists in the archive its > > the wrong key. If someones MITM'd the archive I dont see why www. > > or wiki. would be any safer. > > It is clear that I don't understand the nuances of cryptographic key > signing. Your statement simply doesn't make sense to me. I thought > that the purpose of the PGP key was to verify that the packages > downloaded are: > a) the correct packages "From a trusted vendor" (aka gNS), yes. not sure if thats what you meant with the above or not. > and > b) downloaded without error. No, this is what the checksums in the Packages{,.gz,.bz2} lists are for. kk -- Karl Goetz, (Kamping_Kaiser / VK5FOSS) Debian contributor / gNewSense Maintainer http://www.kgoetz.id.au No, I won't join your social networking group
signature.asc
Description: PGP signature
_______________________________________________ gNewSense-users mailing list gNewSense-users@nongnu.org http://lists.nongnu.org/mailman/listinfo/gnewsense-users