On Mon, Oct 09, 2006 at 08:19:33PM +0200, Florent Rougon wrote: > > 2. I have to trust the integrity of db.debian.org. > > I think it would be much better if someone from debian-admin would be so > kind to GPG-sign the public RSA keys of Debian hosts. This way, I'd only > have to trust that James Troup and Martin Schulze[1] take good care of > their GPG keys. See: http://lists.debian.org/debian-project/2006/07/msg00056.html Which has the key in it, and is signed by James Troup. Most Debian hosts should have an /etc/ssh/ssh_known_hosts with all host keys in. I suggest you read: http://db.debian.org/doc-hosts.html Anyway, if you don't trust db.debian.org, how did you log in the first time to any Debian machine? I assume you've used https and that you verified the certificate? And saw that it was issued by SPI? And then you looked up SPI's certificate? And you found that there is a text file with the SHA1 and MD5 sum signed by Wichert Akkerman? For those that don't know those files: http://www.spi-inc.org/secretary/spi-ca.crt http://www.spi-inc.org/secretary/spi-ca-fingerprint.txt Kurt
Attachment:
signature.asc
Description: Digital signature