Re: Migrating to GPG - A mini-HOWTO
Jason Gunthorpe wrote:
> To be a usefull replacement for PGP2.x you will need one of the two RSAs
Only if you decide to continue to use software with patent problems and
not pure gnupg/opnpgp combined with a new web of trust.
> > Signing .dsc and .changes files
> > The Debian Installation routine (dinstall) is already prepared to
> > accept GnuPG keys. Your key has to be included in the keyring.gpg,
> > though. If this isn't done yet, send it to the keyring maintainer
> > at firstname.lastname@example.org. If your GnuPG key doesn't have a
> > proper signature, you should sign that mail using your old PGP key,
> > so the keyring maintainer can ensure that he's not adding an
> > intruder's key.
> Nono, the new key must have a signature on it from the old RSA key (this
> is posisble) then you can send it in a signed message to the keyring
> people. Otherwise our web of trust is totally trashed, very bad.
Nono! The new key does not need to have a signature from the old pgp
key on it. You can still create a new web of trust and only use the
new key. You do not have to "mess" around with the rsa module. This
is an option, not a must.
> However, everyone should be -using- gpg with their old PGP 2.x key.
I disagree. The rsa module has patent problems. It should not be
used. If people want to use it that's fine.
Let's call it an accidental feature. --Larry Wall
Please always Cc to me when replying to me on the lists.