On Mon, Jul 02, 2012 at 11:34:15AM -0700, [email protected] wrote: > Is there any TLS encrypted source for downloading the Debian iso signing > keys? > > Of course, from a source verified by a common root certificate. Not from > the Debian CA, because there is no way to get this one from a trusted > source either, or is there? > > If the answer is no, which were to correct component to file a bug > against? > I agree with the OP that it is not necessarily easy to become a part of the greater GPG / Debian web of trust. As a simple Debian user and administrator, I have never had the occasion to meet a Debian developer in person.
A while back I started a thread about how to properly verify the Lenny iso, which Steve McIntyre helped me out with. http://lists.debian.org/debian-user/2010/07/msg00492.html Basically you can use the debian-keyring package to obtain keys of many Debian developers. You can have a high level of trust that those keys are real because the package is signed and apt-get would notify you if the signature was not real. The iso you are downloading should be signed by someone in that keyring. -Rob -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
