03.04.2014 00:50, Jonathan McDowell wrote: > Public keyservers aren't expected to provide verification of key > authenticity. The signatures on the keys themselves do that. The Debian > Live CD key is signed by Daniel, whose key is then signed by many other > DDs (and present in the debian-keyring package). If we pushed the Live > CD role key to the debian-keyring package we're still assuming the user > has access to a Debian box to install it and then also has a proper > trust path (presumably via the shasums on the APT package lists and then > the Debian archive signing key for those package lists) to that package. > If they're not using a Debian box to write the live CD then none of > these pieces help. > > In short putting the Live CD key in the debian-keyring package doesn't > demonstrably solve the problem of verifying a Live CD that I can tell.
Putting Live CD key in the debian-keyring package makes verification MUCH easier. It would be just enough to run `gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg /path/to/SHA1SUMS.sig', instead of having to find a signature made by the right key. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
