Re: PGP key signing (Was: Re: [Monotone-devel] Re: BZ2 & signatures)

[Jack Lloyd]

On Tue, Aug 01, 2006 at 04:25:33PM -0400, Ethan Blanton wrote:

> So, not to get into a big long PGP discussion here, but this is really
> not that useful.  I'm well-signed into the strongly connected subset,
> myself, but that doesn't directly translate to anything particularly
> valuable -- for example, I can find paths of length 3 from myself to
> Graydon, and similar from myself to you, but those paths are *not* via
> signers whom I trust, and as such they are not particularly useful to
> me.  It doesn't really matter to me that some guy I don't know from
> Adam has signed your key, regardless of how well I may know and trust
> the first link in the chain.
> 
> So, while increasing the size of the strongly connected set is
> academically interesting and makes for an amusing popularity contest,
> it's not really useful for something like file distribution.

I would have to disagree. While I have no chain of signatures to
Graydon's key, having it stored in my keyring means that if and when
venge.net is compromised and the monotone source code backdoored, I
would be able to detect that (assuming I checked the sig), unless
venge.net was compromised at the point when I got the key from
there. The fact that I can't actually verify the key cooresponds to an
entity known in the real world as "Graydon Hoare" (assuming such an
entity actually exists) is meaningless.

Shipping the PGP fingerprints (or keys) of the developers in the
source distribution would also make for a decent transititive trust
situation. If you trust a tarball enough to compile the code and run
it, you should also be able to trust the keys contained therein are
ones you want to trust (for the purposes of verifying future monotone
builds, at least).
 
Jack