On Sun, 28 May 2017 01:47:37 +0200, Ralf Mardorf wrote: >On Sun, 28 May 2017 00:32:15 +0200, Bernhard Landauer wrote: >>the whole point in signing archives at all is that I want to know >>who's key it is before accepting it. >>It doesn't make much sense to just blindly accept an unknown key > >Hi Bernhard, > >without doubts this is a valid point. I suspect that most, if not all >important keys, for me suffer from missing validation. The "web of >trust" is the weak point of signing. However, a download from a https >page + a key that perhaps isn't validated by a web of trust, in >combination with contact to upstream and/or distro communities, e.g. by >mailing lists, isn't that bad. It's not absolutely secure, but still >ok, assuming that the kernel is used e.g. for audio productions, that >don't require hardcore security. > >Regards, >Ralf PS: Not that long ago, did a validated key protect anybody from Heartbleed ;)? In the end you still need to trust upstream. -- To unsubscribe from this list: send the line "unsubscribe linux-rt-users" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
