|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: adding gpg to src/gnu/dist
From: Bill Studenmund (wrstuden
netbsd.org)
Date: Wed May 19 2004 - 21:12:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, May 14, 2004 at 09:40:13AM -0700, Marc Tooley wrote:
>
> Wouldn't a web-of-trust be a more reliable source of public key
> information than a top-down hierarchy? I can be "more" sure that the
> NetBSD public key is the real public key if a bunch of trusted,
> intelligent friends also think it's the right public key.
>
> I'd like to avoid being snaggled one afternoon downloading some new
> packages that are signed by a key I thought was genuine.
>
> Or am I missing something?
Yes. You missed something.
You confused trusting the NetBSD public key (really should be the TNF one,
but close enough) with trusting that you have the real NetBSD public key.
There really are two different issues in there. The first is a question of
[basic, fundamental] trust, the second is a question of distribution.
They of course have the practical entanglement that if you don't trust
your distribution method, you can't really do anything.
As for seeding the NetBSD public key, we could use the pgp web-of-trust as
a distribution method. We could also get a Verisign root key, which would
make use of the existing Verisign trust network. Though I don't think we
really want to pay what Verisign will want for such a key.
For the case you describe, once you had the NetBSD public key, you
shouldn't be able to be fooled by a download.
Take care,
Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFArBP5Wz+3JHUci9cRApB8AJ97zXR+IRN40iPwpGi9FoxRrezS+QCgkFin
FJf5B2/ZsR+kYG/4jAG3aaQ=
=l+g6
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]