Re: PROPOSAL: GPG Signing of Releases

From: Travis P <svn_at_castle.fastmail.fm>
Date: 2004-04-07 01:04:54 CEST

On Apr 6, 2004, at 5:08 PM, Ben Reser wrote:

> But really using individual keys doesn't entirely solve this problem.
> It just means that you have to go to the website and see who's
> authorized to... Ohh yeah we can't trust the website. The fact is
> there
> has to be some other shared form of trust here. There's no way to get
> away from that.

The shared project key has exactly the same problem that you attribute
to the individual key case. How do you know which "project key" is
trustable? Either the website or via some chain of trust with which
you satisfy yourself via some individual(s) in common with the project
key. If it is useful, it is only because it is "blessed" by a group
that could sign the package each themselves and probably will anyway.
The shared key seems an unnecessary complication.

That said, paint this shed any color you want. :-)

Travis

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Apr 7 01:09:01 2004

This message: [ Message body ]
Next message: Ben Reser: "Re: PROPOSAL: GPG Signing of Releases"
Previous message: Ben Reser: "Re: pax built test tarballs"
In reply to: Ben Reser: "Re: PROPOSAL: GPG Signing of Releases"
Next in thread: Ben Reser: "Re: PROPOSAL: GPG Signing of Releases"
Reply: Ben Reser: "Re: PROPOSAL: GPG Signing of Releases"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]