On Sunday 08 January 2006 07:25, Mark A. Taff wrote:
Do you have a better idea, Anders? How else are we to get the packager's keys? Don't tell us it isn't right unless you are willing to tell us what _is_ right. Thanks.
I have, on several occasions. There needs to be something like a web of trust. For example, we all get suse's key through the distribution, we trust suse and we can trust that the key is valid since the best hacker in the world can't alter a read-only CD/DVD. So the solution is to have the packager's keys signed by suse if and only if they have established that they can be trusted. Then the users only import those keys which have been signed by a trusted source. This can be delegated so that suse's key signs some delegate key with full trust, and this delegate can then sign packagers' keys. And of course suse's key doesn't have to be the only fully trusted key, so long as the others also come from fully trusted sources on fully trusted media This has the drawback that not just anyone at any time can build a package and upload it to a repo, but it has the huge advantage that the repos can actually be trusted without having to trust the system admin