> -----Original Message----- > From: sebb [mailto:[EMAIL PROTECTED] > > Even if you can't establish a trust path, the PGP signature gives a > bit more assurance than a hash. The KEY file should be in SVN, so you > can ensure that the person that added the key to the KEY file was at > least a committer to SVN.
That's only for the users who have https access to SVN (and who can reliably verify the SSH key of the server). The others have to assume that server from which they are reading the KEY file is the real one. Gilles --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
