[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About GPG-signing the public RSA keys of Debian machines

Hi,

Joerg Jaspert <joerg@debian.org> wrote:

>>   1. There is also:
>>          * Entry created: 0000/00/00 00:00:00 UTC
>>          * Entry modified: 0000/00/00 00:00:00 UTC 
>
> Those fields could be removed and not shown, that would "fix" this. Its
> just that in the past we had those filled in, now we dont (show them anymore).

Okay...

>>   2. Even worse, the page has:
>>        Last Modified: Tue, Feb 1 19:13:06 UTC 2005
>>      which is *way before* the compromize. Ugh.
>
> Yes, but that only means the html code for the layout, not the page
> itself. The page is generated dynamically.

This explains well why the "last modified" date predates the compromize,
but IMHO, the fact that said date only applies to the page template is
not at all obvious when reading the page.

>>   2. I have to trust the integrity of db.debian.org.
>
> Signing the keys you would have to trust whoever signed it. Same thing.

I don't think both processes give the same trust level; David gave good
arguments why, so I won't repeat them here.

Regards,

-- 
Florent
Reply to: