>Hi! > >On Thu, Dec 06, 2007 at 11:23:37AM +0000, Stuart Henderson wrote: >>On 2007/12/06 13:12, Lars Noodin wrote: > >>> If the installation process (from the purchased CDs) had a list of the >>> public keys for the official mirror sites, then that would go a long >>> way. > >>That would make it rather hard to revoke a key if there ever >>was a problem. > >Key revocation lists in some form? If it's gpg/OpenPGP, instruct users >to update from keyservers, one will notice when there're >incompatibilities between the key from CD and the one from the >keyserver, but one will also get the revocation from the keyserver. And >if one buys every CD, there's the time window of half a year even >without a key revocation infrastructure. > >Kind regards, > >Hannah.
Why not start selling public key lists from the order site, then those who care can order one (or more) CD(s) and a separately delivered (set of) public key lists (in sealed envelopes). Otherwise ordering CDs will suffice. When a key is revoked (announced somewhere) or incompatibilities occur order a new (set of) list(s). Then there is the problem of the lists being replaced by some new list by the postman, thus ordering a set of lists instead of only one. Have them delivered by different couriers, if all of them replaces the list you will probably know. Now, that will require a lot of work, and a lot of money (a lot of fuss for a piece of paper) to scare most people off. Problem solved. Brad, you really did start some thread. Starting with a rather innocent question. Interesting reading though. My best to all of you, Daniel
