Re: Signing Packages.gz
On Sat, 1 Apr 2000, Anthony Towns wrote:
> * the web of trust, and having the ftp-team sign it
The average user has no entry to the web of trust, so this is just as
useless. (and massively involved for our poor end user)
> * putting a fingerprint on the website and in Debian books,
> and making it easy for people to verify said fingerprint
This is probably the only thing we can do.
> This key (or the private half thereof) wouldn't need to be anywhere near
> any public machines, either.
? The dinstall daily key has to be on master and have no password. The
securty key is kept by a handfull of people on their local machines who
are rather panaroid.
> Stick it on the ftp site, and use the web of trust. (If the secure-key that
> you currently have trusts it, then it's good. Either because it's an update
> of the old secure-key, or because it's an unstable-key).
The security key must never be obsoleted, it should last the life time of
the project - anything else is too complicated for our users :|
> or so before gzipping anything.
I'd like a seperate global index, that is much more usefull really.
Jason
Reply to: