(fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions

Steve Langasek vorlon at netexpress.net
Fri Nov 22 22:25:00 GMT 2002

On Sat, Nov 23, 2002 at 08:29:57AM +1100, Tim Potter wrote:
> On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote:

> > >  Where do I get the samba codesigning key?  How do I import it?   How
> > >  do I know I got the right one?
> > > 
> > >  What do I do if it doesn't verify?

> > I always wondered if someone uploaded a tarball with a trojan, what's 
> > preventing them from updating the .asc file as well?

> This is why you can't necessarily ignore the message that says:

> gpg: WARNING: This key is not certified with a trusted signature!

> The samba team needs to get more people to sign the distribution key so
> this message becomes less frequent.

Hmm.  I see nine signatures already, and I have a full trust relationship
to the key which traverses multiple paths through the keyring, the
shortest of which is only three hops long, despite never having met a
member of the Samba Team.  All in all, a well-connected key, and I think
if there are people who get this error and actually care about it :), the
problem is more likely to lie on their end of the web of trust.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021122/4e7519b8/attachment.bin

More information about the samba-technical mailing list