Re: Secrecy and user trust



Tim wrote:
Bill Davidsen:
Suggestion: since the livna key is still secure (AFAIK) let them distribute the new Fedora key and sign the RPM.

Kevin Fenzi:
That was suggested before, but it's not a great solution for several
reasons: Not everyone has livna enabled. Having one repo publish keys
for another seems wrong, especially when they are not officially
connected.

I'm not sure whether *also* having the keys on other sites is so bad.

I give up, politics as usual. If a proposed solution isn't perfect it isn't good enough, so trust us.

If you take it like the GPG model - countersigning and cross-checking
through other sources that you also trust. If Livna, ATRPMs, and a few
other usual repos had the same Fedora public key, you'd be more
confident that the key you got from what you think is a real Fedora
mirror, is the right one.

Well said. Common sense. The political answer is "wait until new improved RPM comes out."

--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines



Relevant Pages