Re: Migrating to GPG - A mini-HOWTO
Jason Gunthorpe wrote:
> > > Nono, the new key must have a signature on it from the old RSA key (this
> > > is posisble) then you can send it in a signed message to the keyring
> > > people. Otherwise our web of trust is totally trashed, very bad.
> > Nono! The new key does not need to have a signature from the old pgp
> > key on it. You can still create a new web of trust and only use the
> > new key. You do not have to "mess" around with the rsa module. This
> > is an option, not a must.
> But we decided that we do not -want- to create a new web of trust, it is
> too much work and totally unnecessary. The RSA patent expires in 11
> months, it is wastefull to throw everything away now.
I'm sorry, but that's rediculous. You and James can't decide that.
Each maintainer has to decide it on his own. We can pave ways,
people have to make their own decision and go the way on their own.
> Either the keysignings are a purely pointless excercise and we don't care
> about a web of trust, or they have meaning and should be preserved
> whenever possible.
If the people that signed the key are still known and also use GnuPG
these days, they can sign the new key as well. If not, the maintainer
has to decide what to do. It's good to have the option to continue
with the old key, though.
Let's call it an accidental feature. --Larry Wall
Please always Cc to me when replying to me on the lists.