David Thompson wrote:
The checks consist largely in the established relationships between the builders and the organization. Somewhere you have to trust someone. The holder(s) of the signing key(s) ultimately are trusted. Deciding who should sign the RPMs and who should have access to the signing keys makes that trust explicit. Unless you (whoever openafs.org is) is going to audit diffs of source RPMs and rebuild/sign them, you're trusting the RPM builders. The act of giving someone an openafs.org signing key codifies the trust. Signing an RPM with a personal RPM key likewise codifies that an individual is operating on their own behalf.
The Windows installers are built by Secure Endpoints Inc. and signed by Secure Endpoints Inc. OpenAFS does not legally exist and cannot sign anything. It doesn't matter if the key belongs to Simon Wilkinson provided that the OpenAFS web site documents Simon Wilkinson as the builder of the RPMs and which key should be used for validation of those particular packages.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
