On 20110316_150153, Boyd Stephen Smith Jr. wrote: > On 2011-03-16 14:31:14 Dr. Ed Morbius wrote: > >My signing this email simply says that a person who has access to the > >associated GPG private key wrote it. > > Actually, it doesn't even guarantee that they *wrote* it. It guarantees the > *read* it and were willing to sign it.
I think Todd has a point. All DDs have signing keys. But not all DDs have authority to authorize a release of iso images. I suppose there is some chain of trust from the DD's signing key back to some ultimately authoritative Debian certificate. Is that so? Could someone associated with the Evil Empire create a signing key that contains the name of a well known DD and use it to 'sign' rogue iso images? In other words, there does not seem to me to be verifiable a chain of trust here. I'm sure that whoever it was who actually signed the iso release can satisfy himself that what is available on any particular repository is a true copy of what he signed. But who is he? And is what he signed a true copy of an uncorrupted Debian iso image? And does he actually use the name that is on the signing certificate as his personal name in his first life? If I ever had reason to doubt, I would not be satified with what appears to be an exercise in ritual purity. -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110316205552.gg9...@big.lan.gnu
