Jeff, your replies from gmail appear to send 2 e-mails - with the following headers (causing me some confusion here) 1: without cc:fedora-test-list 2: with cc:fedora-test-list Hence resending this reply to the list. Satish On Mon, 1 Nov 2004, Satish Balay wrote: > > > On Mon, 1 Nov 2004, Jeff Spaleta wrote: > > > On Mon, 1 Nov 2004 14:51:34 -0600 (CST), Satish Balay <balay@xxxxxxxxxxx> wrote: > > > And as Matias already pointed out - lets not mix QA perception with > > > 'signature'. > > > > > > I'm not.. i havent talked about QA at all. I'm talking about "trust" > > as defined in mature pgp/gpg implementations. Would you like > > references that talk about the trust metric inherent in something like gnupg? > > I'm saying that comparing packaging signing as implemented inside the > > rpm to general purpose gpg signing using gnupg is a somewhat apples to > > oranges discussion, and that the principles associated with general > > purpose gpg usage using an implementation like gnupg can not be mapped > > over to rpm's signing implementation without acknowledgment that rpm's > > lack of that inherent "trust" metric has greatly impacted what rpm > > package signing has meant historically. Changing the meaning now, > > simply by changing documentation isn't good enough for me. I believe > > the web-of-trust concept is a vital part of a full gpg implementation, > > and that historically the lack of a web-of-trust metric has meant that > > signed packages have been used both for shallow verification and as an > > inherent measure of "trust". Once there is an inherent "trust" metric > > respect of signed keys inside rpm, many of my concerns would be > > addressed. I encourage you to read up on how gnupg( aka gpg) > > calculates its trust database.... it has nothing to do with QA. > > > Long statements spin my head. > > You say: > > - rpm's package signing is not same as 'gnupg' signing > - the big difference is 'trust' mechanism (there is none for rpm) > - there is an inherent 'trust' in rpm signed packages due the absence of other proper means. > - signing rawhide breaks this inherent trust. > - rpm implementing web-of-trust is the solution. > > I'm not much famililar with gnupg (just ssh keys) - so I keep thinking > - the 'trust' mechanism' of gnupg is primarily to validate 'public' > keys. > > I still don't understand how you get the extra security of 'inherent' > trust' - and how 'rahide signed' pacakges (with a different key) > breaks this. The public keys are what I trust - and I'd like to use > each key differently. > > Satish >