[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Canonical source for the new CD signing key's fingerprint?

On 20110316_210330, Steve McIntyre wrote:
> Dr. Ed Morbius wrote:
> >on 04:56 Wed 16 Mar, Todd A. Jacobs (codegnome.consulting+debian@gmail.com) wrote:
> >> I've recently downloaded the net installation image for Squeeze, but
> >> am really uncomfortable with the fact that I can't establish a firm
> >> trust path to the CD signing key. Is there a canonical place to get
> >> the fingerprint of this key, so that at least one can have some
> >> confidence that the key one is validating with is at least the
> >> widely-known (and generally accepted) one?
> >> 
> >> As a hack, I've done this on an Ubuntu 10.10 system:
> >> 
> >>   gpg --recv-keys 6294BE9B
> >>   gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
> >> 
> >> While this shows that this particular key has been signed by some
> >> Debian developers, it doesn't actually validate that the key is the
> >> official key for verifying the ISOs.
> >> 
> >> Can anyone point me to ANY debian.org page that defines the official
> >> key for CD images? Major bonus for any official links to fingerprints
> >> for the CD signing key.
> >
> >You don't trust a key by where you got it.
> >
> >You trust a key by who's signed it.
> >
> >    http://www.rubin.ch/pgp/weboftrust.en.html
> >    http://www.pgpi.org/doc/pgpintro/
> >
> >Otherwise: you're saying you trust DNS more than PKI?
> >
> >It would be a Good Thing for the Debian CD signing key to be more widely
> >signed (assuming that 6294BE9B is in fact the signing key).
> >
> >My signing this email simply says that a person who has access to the
> >associated GPG private key wrote it, and (assuming the signature
> >validates), content hasn't been altered.
> >
> >Without known trusted signatures on my key, I could be anybody.
> The CD signing key 6294BE9B has been signed by a number of people,
> including the CD team leader (me!), a previous DPL (well, also me!)
> and the two current Release Managers. I'll be adding more signatures
> soon, I hope. That key has not been in existence very long, and these
> things take time...
> In the meantime (and I've mentioned this to the OP over on the -cd
> list), an update to the Debian website should go live shortly listing
> all the keys we use / have used, as it seems some people prefer that
> to the WoT.


This certainly goes a long way towards answering my concerns. If the
source of this email, to which I am responding, were not actually the
real Steve McIntyre, then I would expect the real Steve M. to object
very quickly to an imposter posting to the debian-user list. Or some
other very frequent poster to this list, who happens to know you in
first life, objecting that there was something strange about the

But all this paranoid thinking will soon be put to rest because of
your very reasonable plan to post signing key fingerprints on the
Debian web site. That web site gets mirrored in so many different
places under the control of so many different people that it is really
really irrational to suppose that some conspiracy of *they*, can
corrupt the internet to the point that no interested party can
discover a deception.

Thanks for all the work you have put into Debian, and for being so
very patient with us paranoids ;-0

Paul E Condon           

Reply to: