[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Sat, 1 Apr 2000, Anthony Towns wrote:

> 	* the web of trust, and having the ftp-team sign it

The average user has no entry to the web of trust, so this is just as
useless. (and massively involved for our poor end user)
> 	* putting a fingerprint on the website and in Debian books,
> 	  and making it easy for people to verify said fingerprint

This is probably the only thing we can do.

> This key (or the private half thereof) wouldn't need to be anywhere near
> any public machines, either.

? The dinstall daily key has to be on master and have no password. The
securty key is kept by a handfull of people on their local machines who
are rather panaroid.
> Stick it on the ftp site, and use the web of trust. (If the secure-key that
> you currently have trusts it, then it's good. Either because it's an update
> of the old secure-key, or because it's an unstable-key).

The security key must never be obsoleted, it should last the life time of
the project - anything else is too complicated for our users :|
> or so before gzipping anything.

I'd like a seperate global index, that is much more usefull really.


Reply to: