Subject: Re: adding gpg to src/gnu/dist
To: None <>
From: Bill Studenmund <>
List: tech-userlevel
Date: 05/19/2004 19:12:09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, May 14, 2004 at 09:40:13AM -0700, Marc Tooley wrote:
> Wouldn't a web-of-trust be a more reliable source of public key=20
> information than a top-down hierarchy? I can be "more" sure that the=20
> NetBSD public key is the real public key if a bunch of trusted,=20
> intelligent friends also think it's the right public key.
> I'd like to avoid being snaggled one afternoon downloading some new=20
> packages that are signed by a key I thought was genuine.
> Or am I missing something?

Yes. You missed something.

You confused trusting the NetBSD public key (really should be the TNF one,=
but close enough) with trusting that you have the real NetBSD public key.=
There really are two different issues in there. The first is a question of=
[basic, fundamental] trust, the second is a question of distribution.

They of course have the practical entanglement that if you don't trust=20
your distribution method, you can't really do anything.

As for seeding the NetBSD public key, we could use the pgp web-of-trust as=
a distribution method. We could also get a Verisign root key, which would=
make use of the existing Verisign trust network. Though I don't think we=20
really want to pay what Verisign will want for such a key.

For the case you describe, once you had the NetBSD public key, you=20
shouldn't be able to be fooled by a download.

Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)