On Fri, Nov 22, 2002 at 02:31:21PM -0800, Martin Pool wrote: > According to samba.html, the distribution key is
> http://us1.samba.org/samba/ftp/samba-pubkey.asc > gpg: key 2F87AF6F: public key "Samba Distribution Verification Key ><[EMAIL PROTECTED]>" Then perhaps this should be refreshed from the copy that's on the public keyservers, which is where I imported it from? > mbp@toey ~% gpg --list-sig 2F87AF6F > pub 1024D/2F87AF6F 2002-10-15 Samba Distribution Verification Key ><[EMAIL PROTECTED]> > sig 3 2F87AF6F 2002-10-15 Samba Distribution Verification Key ><[EMAIL PROTECTED]> > sig D83511F6 2002-10-15 Gerald W. Carter <[EMAIL PROTECTED]> > sub 1024g/4A271F85 2002-10-15 [expires: 2004-10-14] > sig 2F87AF6F 2002-10-15 Samba Distribution Verification Key ><[EMAIL PROTECTED]> > Jerry's key is pretty well signed, but perhaps not strongly connected > to the world at large. Ah, well, he at least has good connectivity to other Samba Team members. And to other people from valinux.com that I don't recognize. :) > I don't know of any way to get GPG to automatically download > signatures for the web of trust, so unless people happen to have > Jerry's key and those of the people who certify him it is likely to be > untrusted. You write a shell script that walks the signature list and grabs from the keyserver, I suppose. > I think it would be good to get other developers to sign the > distribution key. Perhaps we might also get organizations like CERT > or AusCERT to sign the key (if they will), because administrators are > likely to already have their pubkeys. Do you have key IDs for CERT and AusCERT? I'm interested to see how well-connected they are (would hate for people to substitute unfounded faith in one key for a similar faith in another, at least). Debian being what it is, most of my trust paths to the world pass through people, not through organizations... :) -- Steve Langasek postmodern programmer
msg04565/pgp00000.pgp
Description: PGP signature