| 1 |
> As for a keyring - all a developer has to do is create their own key, |
| 2 |
> and verify the fingerprint with someone... Doing a three way phone call |
| 3 |
> would work |
| 4 |
|
| 5 |
No, it wouldn't. |
| 6 |
|
| 7 |
> one person is someone we all trust, |
| 8 |
|
| 9 |
Exactly _who_ is that person we all trust? I don't know any of the other |
| 10 |
devs personally, and when it comes to key(rings), I don't trust any of |
| 11 |
them either (no offense intended). |
| 12 |
|
| 13 |
> the other person is |
| 14 |
> there to verify the fingerprint (as is the first person), and the last |
| 15 |
> person is the person being added to the keyring... A simple challenge |
| 16 |
> and response... |
| 17 |
|
| 18 |
I'd rather trust seemant or drobbins or whoever granted CVS access for |
| 19 |
Gentoo. Every dev can put their public key on the dev machine for one |
| 20 |
keyring manager to sign them. (This can be done by a 1777 chmod'ed |
| 21 |
directory.) |
| 22 |
|
| 23 |
-- |
| 24 |
Maik Schreiber, Gentoo Developer |
| 25 |
http://www.gentoo.org |
| 26 |
mailto:blizzy@g.o |
Archives