On Wed, Dec 9, 2015 at 2:04 PM, Jeff King <peff@xxxxxxxx> wrote: > > Of course you can't just fetch the v1.7.1.4 tag _now_, because the same > person impersonating the most recent tag could also be impersonating > (and back-dating) the older tags. But you could fetch it now, store it > somewhere trusted (e.g., on your laptop), and wait two weeks. If you > find no public outcry over hacked git, then it is probably OK to assume > that is the real key. > With all of us pointing out 96AFE6CB being the right hash, you may or may not trust the list enough to also trust the key now. But the mailing list server may be hacked and run a s/good-hash/bad-hash/g on each email such that we cannot tell you via email what the right hash of Junios key is. That's why the web of trust is built using side channels, i.e. not just the internet. Usually people meet and check face-to-face if the other person is the person they claim to be and if their key checks out. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html