On Thursday 13 May 2004 08:25, Thor Lancelot Simon wrote:
>
> For example, in the extensive list of gpg command-line invocations
> for which you asked for equivalents, quite a few of them are
> associated with web-of-trust management.  But (for this purpose)
> we don't have a web of trust; we have a trust hierarchy.  This
> means that a huge amount of the functionality in GPG is superfluous,
> whatever one thinks of how it's implemented.

Wouldn't a web-of-trust be a more reliable source of public key 
information than a top-down hierarchy? I can be "more" sure that the 
NetBSD public key is the real public key if a bunch of trusted, 
intelligent friends also think it's the right public key.

I'd like to avoid being snaggled one afternoon downloading some new 
packages that are signed by a key I thought was genuine.

Or am I missing something?