Subject: Re: adding gpg to src/gnu/dist
To: None <tech-userlevel@NetBSD.org, tech-security@NetBSD.org>
From: Marc Tooley <netbsdMLpostNO@SPAM.quake.ca>
Date: 05/14/2004 09:40:13
On Thursday 13 May 2004 08:25, Thor Lancelot Simon wrote:
> For example, in the extensive list of gpg command-line invocations
> for which you asked for equivalents, quite a few of them are
> associated with web-of-trust management. But (for this purpose)
> we don't have a web of trust; we have a trust hierarchy. This
> means that a huge amount of the functionality in GPG is superfluous,
> whatever one thinks of how it's implemented.
Wouldn't a web-of-trust be a more reliable source of public key
information than a top-down hierarchy? I can be "more" sure that the
NetBSD public key is the real public key if a bunch of trusted,
intelligent friends also think it's the right public key.
I'd like to avoid being snaggled one afternoon downloading some new
packages that are signed by a key I thought was genuine.
Or am I missing something?