Re: fingerprint of the archive signing key

To: debian developers <debian-devel@lists.debian.org>
Subject: Re: fingerprint of the archive signing key
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 29 Jun 2004 18:34:07 +0100
Message-id: <[🔎] 20040629173407.GD22096@riva.ucam.org>
Mail-followup-to: debian developers <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20040629172848.GA19987@suffields.me.uk>
References: <[🔎] 20040629003951.GA14964@cirrus.madduck.net> <[🔎] 20040629005028.GA22050@suffields.me.uk> <[🔎] 20040629013230.GB14609@cirrus.madduck.net> <[🔎] 20040629115722.GA24190@suffields.me.uk> <[🔎] 87pt7izfnc.fsf@alhambra.bioz.unibas.ch> <[🔎] 20040629172848.GA19987@suffields.me.uk>

On Tue, Jun 29, 2004 at 06:28:49PM +0100, Andrew Suffield wrote:
> On Tue, Jun 29, 2004 at 02:56:39PM +0200, Frank K?ster wrote:
> > What's the difference between Martin trusting the certificates of that
> > company and your trusting any DD's gpg signature? It seems the
> > difference is that Martin knows people from the company personally,
> > while you don't know most DDs.
> 
> No, the difference is that you only have to trust one DD,

Actually, you have to trust all of them, because they all have effective
root access to your system (unless you audit every upload, which is
about as plausible as people checking every SSL certificate).

> while you have to trust the janitors from the company, who are
> probably immigrants working for a pittance.

Only if the company is foolish enough to allow anyone who wanders in the
door to make a signature from their CA.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Follow-Ups:
- Re: fingerprint of the archive signing key
  - From: Andrew Suffield <asuffield@debian.org>

References:
- fingerprint of the archive signing key
  - From: martin f krafft <madduck@debian.org>
- Re: fingerprint of the archive signing key
  - From: Andrew Suffield <asuffield@debian.org>
- Re: fingerprint of the archive signing key
  - From: martin f krafft <madduck@debian.org>
- Re: fingerprint of the archive signing key
  - From: Andrew Suffield <asuffield@debian.org>
- Re: fingerprint of the archive signing key
  - From: Frank Küster <frank@debian.org>
- Re: fingerprint of the archive signing key
  - From: Andrew Suffield <asuffield@debian.org>

Prev by Date: Re: fingerprint of the archive signing key
Next by Date: Re: Impossible dependency: slang1-dev vs. slang1-utf8-dev
Previous by thread: Re: fingerprint of the archive signing key
Next by thread: Re: fingerprint of the archive signing key
Index(es):
- Date
- Thread