On Mon, 1 Nov 2004 14:51:34 -0600 (CST), Satish Balay <balay@xxxxxxxxxxx> wrote: > And as Matias already pointed out - lets not mix QA perception with > 'signature'. I'm not.. i havent talked about QA at all. I'm talking about "trust" as defined in mature pgp/gpg implementations. Would you like references that talk about the trust metric inherent in something like gnupg? I'm saying that comparing packaging signing as implemented inside the rpm to general purpose gpg signing using gnupg is a somewhat apples to oranges discussion, and that the principles associated with general purpose gpg usage using an implementation like gnupg can not be mapped over to rpm's signing implementation without acknowledgment that rpm's lack of that inherent "trust" metric has greatly impacted what rpm package signing has meant historically. Changing the meaning now, simply by changing documentation isn't good enough for me. I believe the web-of-trust concept is a vital part of a full gpg implementation, and that historically the lack of a web-of-trust metric has meant that signed packages have been used both for shallow verification and as an inherent measure of "trust". Once there is an inherent "trust" metric respect of signed keys inside rpm, many of my concerns would be addressed. I encourage you to read up on how gnupg( aka gpg) calculates its trust database.... it has nothing to do with QA. -jef