On Sun, Apr 02, 2000 at 01:36:56PM +1000, Anthony Towns wrote: > On Sat, Apr 01, 2000 at 03:38:29PM +0200, Marcus Brinkmann wrote: > > I could not trust either. The former, because it is stored on a network > > connected machine, the latter because it is transfered over the net (if it > > is shared among the security team). Of course, if the security team use > > their personal key in the latter case, I can trust it. > > Are you really sure that no developer stores their key on a net connected > machine?
No, but if I find out, I can investigate the installed packages or delete his key from my personal copy of the debian-keyring (and could configure the not-existing dpkg-verify software to use this smaller keyring), if I really cared. Do you see the difference? I can make an informed decision, while in the signed packages file case, I can not verfiy the origin of any of the packages I don't have the changes file for. Thanks, Marcus -- `Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server Marcus Brinkmann GNU http://www.gnu.org for public PGP Key [EMAIL PROTECTED], [EMAIL PROTECTED] PGP Key ID 36E7CD09 http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/ [EMAIL PROTECTED]
