On Wed, Sep 28, 2011 at 08:50:49PM -0700, Junio C Hamano wrote: > > I was actually more worried about helping consumers convince themselves > that thusly signed keys indeed belong to producers like Linus, Peter, > etc. There are those who worry that DNS record to code.google.com/ for > them may point at an evil place to give them rogue download material. > "Here are the keys you can verify our trees with" message on the mailing > list, even with the message is signed with GPG, would not be satisfactory > to them. What do you mean by "consumers" in this context? Most end users don't actually download tarballs from www.kernel.org or code.google.com! :-) If you mean developers at Linux distributions Red Hat, SuSE, or Handset manufacturers such as Samsung, HTC, Motorola, etc., there will be many of those reprsenatives at LinuxCon Europe and CELF (Consumer Electronics Linux Forum) Europe conferences, which will be colocated with the Kernel Summit in Prague. If you are thinking of random developers located in far-flung places of the world who don't have any contact with other Linux developers, this is a previously unsolved problem. There are links into the developing Kernel GPG tree that are signed by the GPG web trust used by Debian, OpenSuSE, and (soon) Fedora. Given that people generally have to trust one or more of those web of trusts, that's the best we can do, at least as far as I know. If you can suggest something better, please let me know! - Ted -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html