[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Migrating to GPG - A mini-HOWTO

Jason Gunthorpe wrote:
> On Tue, 14 Sep 1999, Martin Schulze wrote:
> > > But we decided that we do not -want- to create a new web of trust, it is
> > > too much work and totally unnecessary. The RSA patent expires in 11
> > > months, it is wastefull to throw everything away now.
> > I'm sorry, but that's rediculous.  You and James can't decide that.
> > Each maintainer has to decide it on his own.  We can pave ways,
> > people have to make their own decision and go the way on their own.
> But that is exactly what you are doing with your HOWTO, you are saying
> that the official thing for Debian is to have OpenPGP keys that are not
> signed by older RSA keys without even mentioning that this is possible and
> a good thing to do!

I'm sorry, but you have to read the HOWTO again.  I don't say that it
is official in anyway.  I can't do that and I know that.


   This Mini-HOWTO is intended to help debian people converting from
   using PGP to GnuPG for their work within the Debian Project.

Go back and read again, at no line I say what you try to make people

Additionally, go and read the blurb I said. 

"please edit and distribute".  So why aren't you editing it and filling
in all the parts that I don't know and nobody told me about?  (Although
you told me about the pgp/gpg mixture, I haven't groked it and therefore
don't feel comfortable for writing something about it.)

> > If the people that signed the key are still known and also use GnuPG
> > these days, they can sign the new key as well.  If not, the maintainer
> > has to decide what to do.  It's good to have the option to continue
> > with the old key, though.
> I hope you are not saying that people should sign your new key based on
> the fact that they signed your old key - that is an entirely bad idea.

If that would be an entirely bad idea then we should stop signing the
.dsc and .changes files since it's based on the idea that the old key
was valid as well.  If you can't trust the old pgp key, what can you
trust instead?  I'm sorry!



Let's call it an accidental feature.  --Larry Wall

Please always Cc to me when replying to me on the lists.

Reply to: