[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Migrating to GPG - A mini-HOWTO

Martin Schulze <joey@finlandia.Infodrom.North.DE> writes:

> Jason Gunthorpe wrote:
> > > > Nono, the new key must have a signature on it from the old RSA key (this
> > > > is posisble) then you can send it in a signed message to the keyring
> > > > people. Otherwise our web of trust is totally trashed, very bad.
> > > 
> > > Nono!  The new key does not need to have a signature from the
> > > old pgp key on it.  You can still create a new web of trust and
> > > only use the new key.  You do not have to "mess" around with the
> > > rsa module.  This is an option, not a must.
> > 
> > But we decided that we do not -want- to create a new web of trust,
> > it is too much work and totally unnecessary. The RSA patent
> > expires in 11 months, it is wastefull to throw everything away
> > now.
> I'm sorry, but that's rediculous.  You and James can't decide that.
> Each maintainer has to decide it on his own.  We can pave ways,
> people have to make their own decision and go the way on their own.

Eh, calm down, Joey.  I not only can, but should and have decided that
GnuPG keys must be verified before they enter the keyring, i.e. I'm
not going to add a random key from a random developer without proof it
comes from that developer.  I'll hope you'll be so kind as to give me
your gracious blessing for taking that liberty.

If we're agreed on that, it follows there are two ways to do this: a)
they PGP sign the email, or b) they PGP sign the GnuPG key.  Now both
of these _force_ current developers to use non-free software.  Since
(a) gains us nothing and (b) not only allows us to maintain our web of
trust, nut _also_ allows one to use free-but-patent encumbered
software rather than plain Jane non-free software, I'm slightly lost
as to why you're losing your rag...


Reply to: