Re: Canonical source for the new CD signing key's fingerprint?

To: debian-user@lists.debian.org
Cc: steve@einval.com
Subject: Re: Canonical source for the new CD signing key's fingerprint?
From: Steve McIntyre <steve@einval.com>
Date: Wed, 16 Mar 2011 21:03:30 +0000
Message-id: <[🔎] E1PzxsQ-00068Z-Ak@jack.mossbank.org.uk>
In-reply-to: <[🔎] 20110316193114.GB3482@altaira.krellpowersys.exo>
References: <[🔎] AANLkTikdYRnQqgJ3xDpsOx2kV6Qbby2Jp1peqqWkFhxB@mail.gmail.com> <[🔎] AANLkTikdYRnQqgJ3xDpsOx2kV6Qbby2Jp1peqqWkFhxB@mail.gmail.com>

Dr. Ed Morbius wrote:
>on 04:56 Wed 16 Mar, Todd A. Jacobs (codegnome.consulting+debian@gmail.com) wrote:
>> I've recently downloaded the net installation image for Squeeze, but
>> am really uncomfortable with the fact that I can't establish a firm
>> trust path to the CD signing key. Is there a canonical place to get
>> the fingerprint of this key, so that at least one can have some
>> confidence that the key one is validating with is at least the
>> widely-known (and generally accepted) one?
>> 
>> As a hack, I've done this on an Ubuntu 10.10 system:
>> 
>>   gpg --recv-keys 6294BE9B
>>   gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
>> 
>> While this shows that this particular key has been signed by some
>> Debian developers, it doesn't actually validate that the key is the
>> official key for verifying the ISOs.
>> 
>> Can anyone point me to ANY debian.org page that defines the official
>> key for CD images? Major bonus for any official links to fingerprints
>> for the CD signing key.
>
>You don't trust a key by where you got it.
>
>You trust a key by who's signed it.
>
>    http://www.rubin.ch/pgp/weboftrust.en.html
>    http://www.pgpi.org/doc/pgpintro/
>
>Otherwise: you're saying you trust DNS more than PKI?
>
>It would be a Good Thing for the Debian CD signing key to be more widely
>signed (assuming that 6294BE9B is in fact the signing key).
>
>My signing this email simply says that a person who has access to the
>associated GPG private key wrote it, and (assuming the signature
>validates), content hasn't been altered.
>
>Without known trusted signatures on my key, I could be anybody.

The CD signing key 6294BE9B has been signed by a number of people,
including the CD team leader (me!), a previous DPL (well, also me!)
and the two current Release Managers. I'll be adding more signatures
soon, I hope. That key has not been in existence very long, and these
things take time...

In the meantime (and I've mentioned this to the OP over on the -cd
list), an update to the Debian website should go live shortly listing
all the keys we use / have used, as it seems some people prefer that
to the WoT.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
There's no sensation to compare with this
Suspended animation, A state of bliss

Reply to:

Follow-Ups:
- Re: Canonical source for the new CD signing key's fingerprint?
  - From: "Dr. Ed Morbius" <dredmorbius@gmail.com>
- Re: Canonical source for the new CD signing key's fingerprint?
  - From: Paul E Condon <pecondon@mesanetworks.net>

References:
- Canonical source for the new CD signing key's fingerprint?
  - From: "Todd A. Jacobs" <codegnome.consulting+debian@gmail.com>
- Re: Canonical source for the new CD signing key's fingerprint?
  - From: "Dr. Ed Morbius" <dredmorbius@gmail.com>

Prev by Date: Re: Canonical source for the new CD signing key's fingerprint?
Next by Date: Re: Canonical source for the new CD signing key's fingerprint?
Previous by thread: Re: Canonical source for the new CD signing key's fingerprint?
Next by thread: Re: Canonical source for the new CD signing key's fingerprint?
Index(es):
- Date
- Thread