[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#707006: [nikcub@gmail.com: Live CD keys missing from key server]

03.04.2014 00:50, Jonathan McDowell wrote:
> Public keyservers aren't expected to provide verification of key
> authenticity. The signatures on the keys themselves do that. The Debian
> Live CD key is signed by Daniel, whose key is then signed by many other
> DDs (and present in the debian-keyring package). If we pushed the Live
> CD role key to the debian-keyring package we're still assuming the user
> has access to a Debian box to install it and then also has a proper
> trust path (presumably via the shasums on the APT package lists and then
> the Debian archive signing key for those package lists) to that package.
> If they're not using a Debian box to write the live CD then none of
> these pieces help.
> 
> In short putting the Live CD key in the debian-keyring package doesn't
> demonstrably solve the problem of verifying a Live CD that I can tell.

Putting Live CD key in the debian-keyring package makes verification MUCH easier. It would be just enough to run `gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg /path/to/SHA1SUMS.sig', instead of having to find a signature made by the right key.
Reply to: