Tim wrote: > I'm not sure whether *also* having the keys on other sites is so bad. > If you take it like the GPG model - countersigning and cross-checking > through other sources that you also trust. If Livna, ATRPMs, and a few > other usual repos had the same Fedora public key, you'd be more > confident that the key you got from what you think is a real Fedora > mirror, is the right one. There certainly isn't anything stopping others from singing the Fedora key (as can be seen by the number of signatures already¹. I do wonder how many of those folks have met with the holder of the secret part of the Fedora key for verifying the fingerprint. Another issue with adding signatures to the key is that rpm has no ability to check those signatures (I'm not even sure if it imports a key with multiple signatures properly). Now that rpm is being more actively developed and the lack of a key revocation feature has been felt, maybe someone will submit some patches to add such features². ¹ http://subkeys.pgp.net:11371/pks/lookup?search=0x4F2A6FD2&fingerprint=on&op=vindex ² http://wiki.rpm.org/Contribute -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ So its hurry! Hurry! Step right up, it's a matter of life or death The sun is going down and the moon is just holding its breath.
Attachment:
pgp8kTEUToM3q.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines