On Tue, Feb 04, 2014 at 08:11:28PM +0100, Daniel Cegie?ka wrote: > 2014-02-04 Marc Espie <[email protected]>: > > > signify(1) makes things more transparent: no chain of trust, pure keys. > > > > One cool thing is that the signatures are small enough that they can be > > embedded directly in the package (which already has sha256 for everything). > > > > This has the advantage of decentralization: package snapshots can be > > partially > > synchronized, and still each package carries its own signature. Less margin > > for strange errors -> stuff that works most of the time -> more trustworthy. > > wow!? really? And how can I be sure that the public key that I > downloaded is exactly the same public key, which is stored on OpenBSD > servers (MITM)? signify is a step in the right direction but does not > fix anything. We need trusted key distribution (or verification) for > signify - without it we will being stuck on the same shit (but > successfully verified).
Sigh... the public key is part of BASE, not part of the package, of course. You can't be sure. How can you be sure ? meet Theo, ask him whether the fingerprint for the public key you have is the correct one. But how can you be sure that's Theo ? or me for that matter ? See ? that's the whole problem with trust. Simplest solution for that is to tell you like it is: you don't really exist, my friend. We're just figments of your imagination.
