On 2016-02-29 12:32, Łukasz 'Cyber Killer' Korpalski wrote:
W dniu 29.02.2016 o 11:52, Carlos E. R. pisze:
On 2016-02-29 10:00, Łukasz 'Cyber Killer' Korpalski wrote:
Probably a certified page with all keys used by the project for signing downloads and builds.
Certified by who?
On an https static page, at least.
At this point I trust the openSUSE Project Signing Key 0x3DBDC284 to be okay.
Sure, but how do you know that you got a correct copy of the key, not intercepted?
I signed it with my key too, so in the future I'll be able to quickly notice if this is the key I trusted today. That is enough of the web of trust, that I need.
Yes, but before signing it the first time you have to make a jump of faith that you got the correct one. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)