On Wed, Dec 17, 2008 at 05:21:30PM +0100, Martin Schrvder wrote: > 2008/12/17 Marc Espie <[email protected]>: > > We think it's worse to sign packages than not to sign them if you don't have > > a fairly strict process that ensures you have a correct chain of trust. > > Agreed. PGP provides that, but I can understand that nobody wants GnuPG > in base. :-{
I think a full chain of trust like PGP provides is ways too much for what we need, and too complicated. There have been security holes in the past in full PKIs. If we don't need full PKI, it's better to have a simpler model that a normal human can understand...
