On 7/1/06, Carlo Calica <[EMAIL PROTECTED]> wrote:
WRT keyservers, what's preventing someone from uploading a key with an assumed name/email? Basically, how can we trust the key. Yeah I know about key signing and web of trust but making contributors go to key signing parties is a bit much.
You can build trust for keys if they submit good packages, regardless of whether their name is real. I suggest allowing multiple people to sign each package, so if I test out a package signed by someone new, and find it's good, I can resubmit it with my signed approval. That way, people who trust me can get the package, and start to trust whoever built the package as well. Also, we should be able to use the same keys for email (right?), so you can at least confirm that the same Andy Feldman that signs packages is the one sending you email. -Andy _______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
