Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Hi Goswin,
On Mon, Jun 23, 2008 at 01:07:38AM +0200, Goswin von Brederlow wrote:
> For example: Each repository puts its keyring into Release.keyring
> (next to Release and Release.gpg). The Release.keyring could be listed
> with checksum in Release so frontends know it is there and when it
> changes.
personally I'm not sure if it is good at all to store the key on the
server whose integrity is to be checked. In my opinion it would be
neccessary to get the key from some trusted instance, because if I'm not
well-integrated into the web of trust myself I cannot rely on the key
beeing checkable by my own trust-net.
> I'm not proposing that just any key should be silently accepted. Just
> that it should be automatically fetched and independent of debs. I
> already did run into a case where I could not update the keyring
> package because the Release signature required the new keyring
> package.
I now understood. Its an interesting idea, I just think that some factors
need to be worked out, because there should be a chance for the *average*
user to understand if a key could possibly be trusted or not. (Not every user
understands those web of trust thing and this is something that can't
really be asked for).
Best Regards,
Patrick
Reply to: