On 09/06/12 17:17, Robert J. Hansen wrote: > My bootstrap is "I trust my Linux distribution." My distro is a trusted > software provider, in the traditional security sense of a "trusted > provider". If I receive software from an official Fedora repo and it is > signed by the repo release team, that's good enough for me.
Suppose you would want to build from the vanilla source downloaded from gnupg.org and signed by "Werner Koch (dist sig)", how would you verify authenticity of that key? I also just trust the Debian repo for my software. Unfortunately, the problem is just transferred to the signature on the ISO I download to install Debian on a new system. I do the same: download the sig from various places and compare the issuer. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
