On Tue, 23 Feb 2016 18:01:29 +0100 Till Maas <opensource@xxxxxxxxx> wrote: > On Tue, Feb 23, 2016 at 06:23:13AM -0700, Kevin Fenzi wrote: > > On Mon, 22 Feb 2016 19:45:03 +0000 > > Gregory Maxwell <gmaxwell@xxxxxxxxx> wrote: > > > > I don't think there is any utility in pointing people to a > > > keyserver here. > > > > I think it would allow them to check signatures against their web of > > trust. > > Since one needs to load the gpg key into the gpg keyring anyhow, one > can just use refresh the key from the keyserver to get the signatures > from other keys. Since one cannot trust the direct link to a > keyserver, linking to a keyserver actually weakens the security IMHO. To be clear, I wasn't suggesting a direct link to a specific keyserver, but more a statement like "Search for key blah with fingerprint foo and name bar on public gpg servers" That said, yeah, just refreshing locally to get signatures seems much more sane. kevin
Attachment:
pgpY6tKI5Fz4q.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
