[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TLS encrypted source for Debian iso signing keys?

On Mon, Jul 02, 2012 at 11:34:15AM -0700, anotst01@fastmail.fm wrote:
> Is there any TLS encrypted source for downloading the Debian iso signing
> keys?
> Of course, from a source verified by a common root certificate. Not from
> the Debian CA, because there is no way to get this one from a trusted
> source either, or is there?
> If the answer is no, which were to correct component to file a bug
> against?
I agree with the OP that it is not necessarily easy to become a part of
the greater GPG / Debian web of trust.  As a simple Debian user and
administrator, I have never had the occasion to meet a Debian developer
in person.

A while back I started a thread about how to properly verify the Lenny
iso, which Steve McIntyre helped me out with.

Basically you can use the debian-keyring package to obtain keys of many
Debian developers.  You can have a high level of trust that those keys
are real because the package is signed and apt-get would notify you if
the signature was not real.  The iso you are downloading should be 
signed by someone in that keyring.


Reply to: