On 2016-02-29 13:09, Marcus Meissner wrote:

So it is signed by me at least.

Yes, and I got your signature, I think, in a DVD of SuSE I bought, years ago. Being physical media, I trust it more than downloaded ;-) cer@Telcontar:~> LANG=C gpg --list-sigs 0xB88B2FD43DBDC284 pub 2048R/3DBDC284 2008-11-07 [expires: 2024-05-02] uid openSUSE Project Signing Key <opensuse@opensuse.org> sig 3 3DBDC284 2010-05-05 openSUSE Project Signing Key <opensuse@opensuse.org> sig 3 3DBDC284 2008-11-07 openSUSE Project Signing Key <opensuse@opensuse.org> sig 0175623E 2012-08-23 Marcus Meissner <meissner@suse.com> sig 3D25D3D9 2012-08-23 SuSE Security Team <security@suse.de> sig 6D8D47D5 2013-04-30 Carlos E. R. (cer) <robin.listas@telefonica.net> sig 30B94B5C 2013-05-04 [User ID not found] sig 920E6F97 2013-08-15 [User ID not found] sig D1E3EBDD 2014-02-11 [User ID not found] sig 3 3DBDC284 2014-05-05 openSUSE Project Signing Key <opensuse@opensuse.org> But that doesn't change the idea that we need a method to verify important project signatures, in order to seed or initiate the web of trust (PGP concept) a user creates. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)