Secrecy and user trust
Bill Davidsen
davidsen at tmr.com
Thu Sep 4 20:38:54 UTC 2008
Tim wrote:
> Bill Davidsen:
>>> Suggestion: since the livna key is still secure (AFAIK) let them
>>> distribute the new Fedora key and sign the RPM.
>
> Kevin Fenzi:
>> That was suggested before, but it's not a great solution for several
>> reasons: Not everyone has livna enabled. Having one repo publish keys
>> for another seems wrong, especially when they are not officially
>> connected.
>
> I'm not sure whether *also* having the keys on other sites is so bad.
I give up, politics as usual. If a proposed solution isn't perfect it
isn't good enough, so trust us.
> If you take it like the GPG model - countersigning and cross-checking
> through other sources that you also trust. If Livna, ATRPMs, and a few
> other usual repos had the same Fedora public key, you'd be more
> confident that the key you got from what you think is a real Fedora
> mirror, is the right one.
>
Well said. Common sense. The political answer is "wait until new
improved RPM comes out."
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list