For what it is worth, not signing the key is bug 1043276: https://bugzilla.redhat.com/show_bug.cgi?id=1043276 > Date: Mon, 22 Feb 2016 19:47:51 +0000 > From: Gregory Maxwell <gmaxwell@xxxxxxxxx> > Subject: Re: More prominent link to verification hashes > To: Development discussions related to Fedora > <devel@xxxxxxxxxxxxxxxxxxxxxxx> > Message-ID: > <CAAS2fgSKZkOQQY=dW4-bSLQR66enwMXHBPv5SASg6sBkmCeVzA@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=UTF-8 > > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: >> My point was that you can get the signatures off the key from the >> keyserver and see if any of them are someone you trust. If not, are >> they connected to someone you trust (hey, look, web of trust). I think >> expanding the web of trust on the signatories of the keys would help >> more than just trying to distribute the key fingerprint "lots of >> places". > > They key itself should come with signatures. That it doesn't is weird > and inconvenient. If it came with a single signature by a long lived > key used for the purpose of authenticating keys, it would go a log > way. >
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
