Secrecy and user trust

jdow jdow at earthlink.net
Fri Sep 5 19:03:08 UTC 2008 

From: "Jeff Spaleta" <jspaleta at gmail.com>
Sent: Friday, 2008, September 05 09:46


> On Fri, Sep 5, 2008 at 5:59 AM, Bill Davidsen <davidsen at tmr.com> wrote:
>> This is a (hopefully) one-time problem, and therefore it probably doesn't
>> need a perfect, automated, runs-by-itelf solution. And my assumption has
>> been that some people at other repositories do personally know and 
>> interact
>> with official people in the Fedora project, and that there is an 
>> out-of-band
>> way to pass information to the people at some other repository.
>
> Your assumption absolutely breaks the trust metric. Assume your wrong. 
> Assume
> that 3rd party repositories are treated just like any other end-user
> to Fedora...because they are just other end-users with absolutely no
> special relationship. Assume that.. because that's how it stands.
>
>> Given the
>> nature of the problem, that could mean carrying a CD a hundred miles to 
>> meet
>> with someone who is personally known to you from a presentation, etc, 
>> etc.
>> It need not be pretty, let's assume that this is a one-time problem.
>
> Are seriously telling us to wait to distribute keys to people so we
> can get updates flowing again until someone has flown several hundred
> miles and done the GPG key signing dance with a 3rd party repo
> signatory and then flown back?  Right now for this one time problem..
> that is absolutely not worth it.  Nor with that ever be worth it.
> Especially since every single one of our users were already using a
> key that didn't rely on a physical face-to-face 3rd party key signing
> up to this point.

Suppose Fedora generates a new key. They can get it out there by putting
it on their website, in an update RPM, and in plain textual format in
the primary download sites. Then I as a user either trust that or find
I have to take a trip to somebody's office I know is authoritative for
Fedora and get the key on some portable media.

Now, I can also check the key if it is uploaded to all the mirrors the
same way. If I download from a large collection of sites and they all
are bit copies of each other then either the web of deceit is so large
we're all lost anyway or I have a good key.

So the focus of the discussion is silly. Trust is established once, in
some way. Use the same way again that satisfied you in the first place
and get on with life.

{^_^}    <- betting the real problem is "infrastructure."

More information about the fedora-list mailing list