(fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions

Steve Langasek vorlon at netexpress.net
Fri Nov 22 22:48:00 GMT 2002 

On Fri, Nov 22, 2002 at 02:31:21PM -0800, Martin Pool wrote:

> According to samba.html, the distribution key is 

>   http://us1.samba.org/samba/ftp/samba-pubkey.asc
>   gpg: key 2F87AF6F: public key "Samba Distribution Verification Key <samba-bugs at samba.org>"

Then perhaps this should be refreshed from the copy that's on the public
keyservers, which is where I imported it from?

> mbp at toey ~% gpg --list-sig 2F87AF6F   
> pub  1024D/2F87AF6F 2002-10-15 Samba Distribution Verification Key <samba-bugs at samba.org>
> sig 3       2F87AF6F 2002-10-15   Samba Distribution Verification Key <samba-bugs at samba.org>
> sig         D83511F6 2002-10-15   Gerald W. Carter <jerry at samba.org>
> sub  1024g/4A271F85 2002-10-15 [expires: 2004-10-14]
> sig         2F87AF6F 2002-10-15   Samba Distribution Verification Key <samba-bugs at samba.org>

> Jerry's key is pretty well signed, but perhaps not strongly connected
> to the world at large.

Ah, well, he at least has good connectivity to other Samba Team members.
And to other people from valinux.com that I don't recognize. :)

> I don't know of any way to get GPG to automatically download
> signatures for the web of trust, so unless people happen to have
> Jerry's key and those of the people who certify him it is likely to be
> untrusted.

You write a shell script that walks the signature list and grabs from the
keyserver, I suppose.

> I think it would be good to get other developers to sign the
> distribution key.  Perhaps we might also get organizations like CERT
> or AusCERT to sign the key (if they will), because administrators are
> likely to already have their pubkeys.

Do you have key IDs for CERT and AusCERT?  I'm interested to see how
well-connected they are (would hate for people to substitute unfounded
faith in one key for a similar faith in another, at least).  Debian being
what it is, most of my trust paths to the world pass through people, not
through organizations... :)

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021122/3f58293f/attachment.bin

More information about the samba-technical mailing list