(fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
Steve Langasek
vorlon at netexpress.net
Fri Nov 22 22:48:00 GMT 2002
On Fri, Nov 22, 2002 at 02:31:21PM -0800, Martin Pool wrote:
> According to samba.html, the distribution key is
> http://us1.samba.org/samba/ftp/samba-pubkey.asc
> gpg: key 2F87AF6F: public key "Samba Distribution Verification Key <samba-bugs at samba.org>"
Then perhaps this should be refreshed from the copy that's on the public
keyservers, which is where I imported it from?
> mbp at toey ~% gpg --list-sig 2F87AF6F
> pub 1024D/2F87AF6F 2002-10-15 Samba Distribution Verification Key <samba-bugs at samba.org>
> sig 3 2F87AF6F 2002-10-15 Samba Distribution Verification Key <samba-bugs at samba.org>
> sig D83511F6 2002-10-15 Gerald W. Carter <jerry at samba.org>
> sub 1024g/4A271F85 2002-10-15 [expires: 2004-10-14]
> sig 2F87AF6F 2002-10-15 Samba Distribution Verification Key <samba-bugs at samba.org>
> Jerry's key is pretty well signed, but perhaps not strongly connected
> to the world at large.
Ah, well, he at least has good connectivity to other Samba Team members.
And to other people from valinux.com that I don't recognize. :)
> I don't know of any way to get GPG to automatically download
> signatures for the web of trust, so unless people happen to have
> Jerry's key and those of the people who certify him it is likely to be
> untrusted.
You write a shell script that walks the signature list and grabs from the
keyserver, I suppose.
> I think it would be good to get other developers to sign the
> distribution key. Perhaps we might also get organizations like CERT
> or AusCERT to sign the key (if they will), because administrators are
> likely to already have their pubkeys.
Do you have key IDs for CERT and AusCERT? I'm interested to see how
well-connected they are (would hate for people to substitute unfounded
faith in one key for a similar faith in another, at least). Debian being
what it is, most of my trust paths to the world pass through people, not
through organizations... :)
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021122/3f58293f/attachment.bin
More information about the samba-technical
mailing list