Hi! On Thu, Dec 06, 2007 at 11:23:37AM +0000, Stuart Henderson wrote: >On 2007/12/06 13:12, Lars Noodin wrote:
>> If the installation process (from the purchased CDs) had a list of the >> public keys for the official mirror sites, then that would go a long >> way. >That would make it rather hard to revoke a key if there ever >was a problem. Key revocation lists in some form? If it's gpg/OpenPGP, instruct users to update from keyservers, one will notice when there're incompatibilities between the key from CD and the one from the keyserver, but one will also get the revocation from the keyserver. And if one buys every CD, there's the time window of half a year even without a key revocation infrastructure. Kind regards, Hannah.
