On Sun, 28 May 2017 00:32:15 +0200, Bernhard Landauer wrote: >the whole point in signing archives at all is that I want to know >who's key it is before accepting it. >It doesn't make much sense to just blindly accept an unknown key Hi Bernhard, without doubts this is a valid point. I suspect that most, if not all important keys, for me suffer from missing validation. The "web of trust" is the weak point of signing. However, a download from a https page + a key that perhaps isn't validated by a web of trust, in combination with contact to upstream and/or distro communities, e.g. by mailing lists, isn't that bad. It's not absolutely secure, but still ok, assuming that the kernel is used e.g. for audio productions, that don't require hardcore security. Regards, Ralf -- To unsubscribe from this list: send the line "unsubscribe linux-rt-users" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
