I want to check file 'MD5SUM' signature for 2.2 rev 6 i386
#gpg --verify MD5SUM
gpg: Signature made Fri Apr 5 20:38:10 2002 CEST using DSA key ID DD9B9910
gpg: Can't check signature: public key not found
I asked already that question for 2.2 rev 5 i386 ; and received proper answer (thanks Steve McIntyre)
we should look at that security problem more seriously.
File MD5SUM is really the key-stone of all 4 CDs distribution.
It is very important that signature can be easily checked by different means.
Only people who have debian running on server can access keyservers (I don't)
So I suggest this file should be signed by different persons :
1 : the one who made the images (obvious, but he's not always the same person)
2 : the one who made the previous image (so, if we are confident in that previous release,
we can also be confident to that new release)
3 : the system administrator of this download site (if i'm student or working in that company
and be confident with that administrator, so I can be confident with that new release)
4 : some kind of major master key created at 2.2 r0 (and released with officials CD vendors)
and still used up to r6. (Of course it should also sign the new key for 2.4 r0)
5 : linus torvald himself, E.T, the rolling stones, mulder ...
without joke, it's really really important to be able to check before install