Re: TLS encrypted source for Debian iso signing keys?
On Mon, Jul 02, 2012 at 11:34:15AM -0700, anotst01@fastmail.fm wrote:
> Is there any TLS encrypted source for downloading the Debian iso signing
> keys?
>
> Of course, from a source verified by a common root certificate. Not from
> the Debian CA, because there is no way to get this one from a trusted
> source either, or is there?
>
> If the answer is no, which were to correct component to file a bug
> against?
>
I agree with the OP that it is not necessarily easy to become a part of
the greater GPG / Debian web of trust. As a simple Debian user and
administrator, I have never had the occasion to meet a Debian developer
in person.
A while back I started a thread about how to properly verify the Lenny
iso, which Steve McIntyre helped me out with.
http://lists.debian.org/debian-user/2010/07/msg00492.html
Basically you can use the debian-keyring package to obtain keys of many
Debian developers. You can have a high level of trust that those keys
are real because the package is signed and apt-get would notify you if
the signature was not real. The iso you are downloading should be
signed by someone in that keyring.
-Rob
Reply to: