Quoting Henry House ([EMAIL PROTECTED]): > I've occasionally speculated that it would be really useful for > distributions to provide a package containing all the public keys used by > upstram maintainers (e.g., kernel.org) to sign releases. There is no > guarantee that when I download Foo Group GmBH's latest tarball and PGP key > from their FTP server, then verify the former against the latter, that I > have not downloaded a compromised tarball AND conpromised PGP key. Thoughts?
I suppose that would be useful. Debian, for example, could have package "upstream-keyring" to go along with their "debian-keyring" package that furnishes the gpg keys of all registered Debian developers. At the same time, they may see maintaining such a package (checking continually for revocations and compromises, etc.) as not their problem. Dunno. A more _standard_ (extant and functional) way you verify that a PGP/gpg key is valid is via signatures in that key (and absence of a revocation certificates) in the worldwide web of trust. Obviously, you would not _ever_ want to trust an upstream package _merely_ because it was accompanied by either J. Random PGP/gpg key or an MD5 sum, as any halfway competent intruder would fake those, too. _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech