[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PROPOSAL: GPG Signing of Releases

From: Travis P <svn_at_castle.fastmail.fm>
Date: 2004-04-07 01:04:54 CEST

On Apr 6, 2004, at 5:08 PM, Ben Reser wrote:

> But really using individual keys doesn't entirely solve this problem.
> It just means that you have to go to the website and see who's
> authorized to... Ohh yeah we can't trust the website. The fact is
> there
> has to be some other shared form of trust here. There's no way to get
> away from that.

The shared project key has exactly the same problem that you attribute
to the individual key case. How do you know which "project key" is
trustable? Either the website or via some chain of trust with which
you satisfy yourself via some individual(s) in common with the project
key. If it is useful, it is only because it is "blessed" by a group
that could sign the package each themselves and probably will anyway.
The shared key seems an unnecessary complication.

That said, paint this shed any color you want. :-)


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Apr 7 01:09:01 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.