Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org>
From: Marc Tooley <netbsdMLpostNO@SPAM.quake.ca>
List: tech-userlevel
Date: 05/25/2004 15:13:48
On Wednesday 19 May 2004 19:12, Bill Studenmund wrote:
> On Fri, May 14, 2004 at 09:40:13AM -0700, Marc Tooley wrote:
> > Wouldn't a web-of-trust be a more reliable source of public key
> > information than a top-down hierarchy? I can be "more" sure that
> > the NetBSD public key is the real public key if a bunch of trusted,
> > intelligent friends also think it's the right public key.
[...]
> > Or am I missing something?
>
> Yes. You missed something.
>
> You confused trusting the NetBSD public key (really should be the TNF
> one, but close enough) with trusting that you have the real NetBSD
> public key. There really are two different issues in there. The first
> is a question of [basic, fundamental] trust, the second is a question
> of distribution.
The trust issue was not being differentiated before now. To me, the two
are inseparably entwined. I never said that a good, automatable
mechanism was a bad idea, nor did I ever think that once I felt I had
"the TNF key" that the signed binary packages would somehow be less
trustworthy.
Thor's reasonable explanation is a superior technical discussion upon
which I have no problem re-forming my opinion of the matter. I no
longer have any objections, especially if the top-level key is signed
by a bunch of other people.
Wittgenstein would be laughing at us right now for our poor
communication skills. "But what do you *mean*?" he'd mockingly say.