Ted Ts'o <tytso@xxxxxxx> writes: >> That would improve the situation (I suspect that there >> were some people who misunderstood that these GPG signature were to >> protect against break-in at the master machine), but at the same time, it >> may create the chicken-and-egg bootstrapping problem if public keys of too >> many people need to be published securely. > > We are in the process of bootstrapping a GPG web of trust. Linus has > generated a new GPG key which has been signed by Peter Anvin, Dirk, > and myself. We'll get a much richer set of cross signatures at the > Kernel Summit in Prague in a few months. I was actually more worried about helping consumers convince themselves that thusly signed keys indeed belong to producers like Linus, Peter, etc. There are those who worry that DNS record to code.google.com/ for them may point at an evil place to give them rogue download material. "Here are the keys you can verify our trees with" message on the mailing list, even with the message is signed with GPG, would not be satisfactory to them. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html