incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jukka Zitting <>
Subject Re: KEYS and releases
Date Tue, 28 Jun 2011 08:53:56 GMT

On Tue, Jun 28, 2011 at 10:29 AM, Bertrand Delacretaz
<> wrote:
> Hence the need for people to download KEYS files from an *
> domain that we do control. Putting KEYS in a distribution might cause
> people to use them instead of getting them from a trusted source, and
> that's bad.

The keys should be included in the web of trust, so it shouldn't
matter from where a user gets the keys.

Without the web of trust, the PGP signatures are just a rather
elaborate version of the MD5 and SHA1 checksums we also provide.

Of course, without being included in the web of trust, the best a user
can do is to get at least one of the keys from a trusted source.


Jukka Zitting

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message