On Sun, Mar 15, 2009 at 12:13:49PM +0100, Abdelrazak Younes wrote: > On 15/03/2009 11:59, Jürgen Spitzmüller wrote: >> Sven Hoexter wrote: >> >>> Now I just need to meet you to verify your key or find a trustpath to >>> you. :) Hm no sigs on the key. Bad. But fair enough for the moment. >>> >> >> Just tell me if there's anything I can do to make it more trustworthy. >> > You should fax Sven your passport;-)
The fingerprint of the key would be a lot more useful but no fax here. > I truly wonder why years of svn commit history and/or list activity is > not enough for Debian... It's completly ok. It's just that you can still improve the usefulness. :) What I initially asked for was an sha1sum just to ensure the integrity of the tarball. Using gpg signatures for that is of course possible aswell but that's not really what the technology can do for you. The full strength of gpg still requires the web of trust around it. Taking some more or less random signature from a keyserver to check a tarball you retrieved via anonymous ftp is kinda pointless. So exchanging signatures with other people in person is still crucial to make it work. Cheers, Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - 03:45: No sleep]
