> > If the MD5SUMS files are purely for validating downloads[3], could the > > completely useless/misleading GPG files be dropped? > > They are far from useless - they are the only way to validate the hash > information based on trust roots that are (or should be) on your > system already. > > Neal McBurnett http://mcburnett.org/neal/ > > > /Lamby > >
Forgive me if i'm missing the obvious. Why should any of the keys in [1] be in my system already? The ftpmaster key might be there if i'm starting with Ubuntu, but i doubt it would on a fresh gentoo system for example.. How would I go about trusting any of these keys? If I can't, then what is the value of keeping the .gpg, other than to lead me into a (potentially) false sense of security? John [1] http://preview.tinyurl.com/2llzqr -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
