On Mon, Jul 02, 2012 at 11:34:15AM -0700, anots...@fastmail.fm wrote: > Is there any TLS encrypted source for downloading the Debian iso signing > keys? > > Of course, from a source verified by a common root certificate. Not from > the Debian CA, because there is no way to get this one from a trusted > source either, or is there?
The ISO images, like the rest of the archive, are signed using OpenPGP (GnuPG) signatures. You can obtain the signing key from db.debian.org or the public keyservers. > If the answer is no, which were to correct component to file a bug > against? None. The signing is rather more secure than what a TLS connection would give you. It's signed by a number of Debian developers, and backed by the entire web of trust (many thousands of signatures). You don't need to download the signing (public) key securely in order to validate that you have the correct one--it's not rooted in a single place. If you go and meet some developers and sign each other's keys, you can be a part of this web of trust. i.e. trace the signature all the way back to *your* key. This is real trust, based upon real people trusting each other, rather than just having some purchased certificate--how much trust do you place in one of those? Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120702200614.ge4...@codelibre.net
