On 22/03/16 18:30, Peter Lebbing wrote: > On 22/03/16 19:14, Andrew Gallagher wrote: >> All this is true. But this does not help *me* one iota. > > It sounds to me like you're not looking for the Web of Trust, which is indeed > very limited in its options. Instead, you are probably looking for something > more like TOFU, in the sense that this developer whose signature you see is > the > same one whose signature you saw last time.
Only for a project with one developer! Otherwise, the person who signs it could legitimately change between releases. Large projects often have a separate release signing key, but not apache it seems... And at the risk of getting shot down (again), TOFU doesn't work. Not because TOFU is broken (it's a perfectly valid method), but because *people* are broken. How many times have you blithely clicked through an ssh "WARNING: the remote host key has changed!" prompt? ;-) A
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
