On Thu, Jul 27, 2017 at 03:09:50PM +0200, Harald Dunkel wrote: > If gpg and its derivatives are so fragile, I wonder if there > is an alternative? gpg isn't fragile. Fetching keys and stuff directly from the internet is not much of a problem in its normal mode of operation as you still have the web of trust – you don't magically trust a key just because it is in the keyring. gpg will in fact complain about not trusting it if you or trusted peers haven't signed it. That needs a user to actively maintain it a bit by refreshing keys, assigning trust values and co through. That is different from the situation apt is in: If a key is in the keyring it has ultimate trust, so that keyring must be protected with your life – but on the upside you don't need to manage it manually if you don't want to as it will be managed for you. Argueably the behaviour of gpg is better, but has one tiny problem: Have you got a verify connection to the archive signing key via the web of trust? The answer is very likely no, due to it being a rather technical thing at the moment. So what apt and basically any other software does is having some kind of ultimate trust database. Your browser e.g. has a giant certificate store. And they all hope that changes to that database are done with great care. In apt it was just decided that we aren't going to invent our own way of public-key cryptography and implement it, but just reuse what already exists in the form of gpg by bending it to our needs – with the upside that one day we might 'easily' change to the web of trust if it becomes feasible for our usecase. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature