[EMAIL PROTECTED] said: > That answer is pretty easy to find, too. Look at the description of the > debian-keyring package.
"The Debian project wants developers to digitally sign the announcements of their packages with GnuPG, to protect against forgeries. This package contains keyrings of GnuPG and (deprecated) PGP keys of developers." Read literally, I guess you're saying the archive key isn't in there because it's not a developer's key. More broadly, though, if one of the goals of debian developers using gpg keys is "to protect against forgeries", and debian-keyring contains their keys to further this goal, and apt-secure is a further advancement of this same goal, then wouldn't debian-keyring be a logical way to distribute the archive's public key? Distributing the key this way would be akin to the way ssl CA certificates are distributed via the ca-certificates package. It's not perfect, but it's better than downloading the public key from the first hit your google search turns up. At least when it's distributed with the OS, you can compare your installed version with the one on an old CD or something. Jason
