1 |
> As for a keyring - all a developer has to do is create their own key, |
2 |
> and verify the fingerprint with someone... Doing a three way phone call |
3 |
> would work |
4 |
|
5 |
No, it wouldn't. |
6 |
|
7 |
> one person is someone we all trust, |
8 |
|
9 |
Exactly _who_ is that person we all trust? I don't know any of the other |
10 |
devs personally, and when it comes to key(rings), I don't trust any of |
11 |
them either (no offense intended). |
12 |
|
13 |
> the other person is |
14 |
> there to verify the fingerprint (as is the first person), and the last |
15 |
> person is the person being added to the keyring... A simple challenge |
16 |
> and response... |
17 |
|
18 |
I'd rather trust seemant or drobbins or whoever granted CVS access for |
19 |
Gentoo. Every dev can put their public key on the dev machine for one |
20 |
keyring manager to sign them. (This can be done by a 1777 chmod'ed |
21 |
directory.) |
22 |
|
23 |
-- |
24 |
Maik Schreiber, Gentoo Developer |
25 |
http://www.gentoo.org |
26 |
mailto:blizzy@g.o |