Am Mittwoch 22 November 2006 11:05 schrieb Hamish Moffatt: > On Wed, Nov 22, 2006 at 09:48:46AM +0100, Hendrik Sattler wrote: > > Or even better: > > # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs > > A70DAF536070D3A1 > > > > I just assume that receiving the keys via the debian-keyring package ist > > more trustworthy than via a random public server. In the default > > configuration, it > > But you need to be able to validate that package in some fashion too.
To run in circles, here, any proposals for a trust anchor for random users Alice and Bob? Assuming, I use the keyring-debian package from an older installation CD. If the keys to validate did not change, I kind of trust it because if attacks are not found in such a time, the whole thing is lost, anyway ;) The GPG signing does not make authentication a always-trust-it thing. It just makes it a bit harder for an attacker (creating a fake keyring and uploading it to a random keyserver is possible, I assume). Noone answered, yet, why this key is not in debian-archive-keyring package. I thought that the whole idea was to make it available before it gets used. That would be the easiest (install it at installation time) and "apt-key update" could be used. HS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
