> OK, that's great news. And I get from the HN thread that repository keys > are updated via signed packages, with no calls to SKS keyservers. So I'm > no longer freaking about that level of damage.
Eh. Yes. No. Hard to say. The problem is that many of these distros allow third parties to run their own repositories under more permissive rules, and some of these third parties are extremely popular. Plus, often sysadmins will roll their own RPMs of packages: in such cases you quickly lose the ability to say definitively what will or will not happen. If the major distros update their distro signing certificates through signed packages, great: that's good. But don't go thinking that means you're out of the woods. Whenever anyone gives you concrete yes-or-no, this will-or-won't happen answers about a complicated ecosystem that has a ton of hidden bits that can't be seen, that person most likely has misunderstood the problem. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users