incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Grobmeier <>
Subject Re: KEYS and releases
Date Tue, 28 Jun 2011 09:16:43 GMT
>> Hence the need for people to download KEYS files from an *
>> domain that we do control. Putting KEYS in a distribution might cause
>> people to use them instead of getting them from a trusted source, and
>> that's bad.
> The keys should be included in the web of trust, so it shouldn't
> matter from where a user gets the keys.
> Without the web of trust, the PGP signatures are just a rather
> elaborate version of the MD5 and SHA1 checksums we also provide.
> Of course, without being included in the web of trust, the best a user
> can do is to get at least one of the keys from a trusted source.

It should, but I don't know a single project (I don't know all of
course) were  it has been asked on a dev list:
"I have no trusted key. Is a trusted user out there who could please
sign my release artifacts?"

I would like to know how many signing keys are actually trusted which
have been used for our releases.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message