As APT 0.6 will check for package signatures, the archive signing key will become more relevant to our users. However, I currently cannot find a place on our webpage from which the key is linked, nor information on how to get it or how to verify it. I think we should have a page explaining the key and its trust basis, and also publish the key's fingerprint. If that page could be SSL-tunneled and signed with a certificate christened by an official CA (which the SPI would buy), then it'd be basically bulletproof. I am bringing this up here before filing a bug against a meta-package because I was slammed down last time I tried to suggest changes to the website. Thus, I want to reach consensus first. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature