[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gNewSense-users] gNewSense Repository PGP Key

From: Karl Goetz
Subject: Re: [gNewSense-users] gNewSense Repository PGP Key
Date: Mon, 14 Dec 2009 10:32:23 +1030

On Sun, 13 Dec 2009 12:23:03 -0500
Eric Morey <address@hidden> wrote:

> On Sun, 2009-12-13 at 23:18 +1030, Karl Goetz wrote:
> > On Sat, 12 Dec 2009 23:17:19 -0500
> > Eric Morey <address@hidden> wrote:
> > > Isn't a wiki an inherently bad place to post a PGP key? How could
> > > I have any level of trust that it is the correct one?
> > 
> > if it doesn't match whats signing package lists in the archive its
> > the wrong key. If someones MITM'd the archive I dont see why www.
> > or wiki. would be any safer.
> It is clear that I don't understand the nuances of cryptographic key
> signing. Your statement simply doesn't make sense to me. I thought
> that the purpose of the PGP key was to verify that the packages
> downloaded are: 
> a) the correct packages 

"From a trusted vendor" (aka gNS), yes. not sure if thats what you
meant with the above or not.

> and 
> b) downloaded without error.

No, this is what the checksums in the Packages{,.gz,.bz2} lists are for.

Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian contributor / gNewSense Maintainer
No, I won't join your social networking group

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]