Subject: Re: adding gpg to src/gnu/dist
To: None <firstname.lastname@example.org>
From: Bill Studenmund <email@example.com>
Date: 05/19/2004 19:12:09
Content-Type: text/plain; charset=us-ascii
On Fri, May 14, 2004 at 09:40:13AM -0700, Marc Tooley wrote:
> Wouldn't a web-of-trust be a more reliable source of public key=20
> information than a top-down hierarchy? I can be "more" sure that the=20
> NetBSD public key is the real public key if a bunch of trusted,=20
> intelligent friends also think it's the right public key.
> I'd like to avoid being snaggled one afternoon downloading some new=20
> packages that are signed by a key I thought was genuine.
> Or am I missing something?
Yes. You missed something.
You confused trusting the NetBSD public key (really should be the TNF one,=
but close enough) with trusting that you have the real NetBSD public key.=
There really are two different issues in there. The first is a question of=
[basic, fundamental] trust, the second is a question of distribution.
They of course have the practical entanglement that if you don't trust=20
your distribution method, you can't really do anything.
As for seeding the NetBSD public key, we could use the pgp web-of-trust as=
a distribution method. We could also get a Verisign root key, which would=
make use of the existing Verisign trust network. Though I don't think we=20
really want to pay what Verisign will want for such a key.
For the case you describe, once you had the NetBSD public key, you=20
shouldn't be able to be fooled by a download.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
-----END PGP SIGNATURE-----