1 |
Kurt Lieber wrote: |
2 |
> ... The person in charge |
3 |
> of releasing 2004.1 signed the ISOs with a sub-key of a personal key which |
4 |
> was set to expire shortly after 2004.1 was released. I'm going to remove |
5 |
> the .asc files from our mirrors now to try and avoid further user |
6 |
> confusion. |
7 |
> |
8 |
> My apologies for the mistake -- we'll try and make sure we do some better |
9 |
> planning for 2004.2. |
10 |
|
11 |
2004.2 is signed with a nice new <releng@g.o> key, keyid 17072058, |
12 |
but unfortunately that key itself isn't signed by anyone at all, such |
13 |
that I could trace the web of trust from my own key to it. |
14 |
|
15 |
For example, PGP Pathfinder sees multiple paths from my 8A560A4E to your |
16 |
27ED2046, but nothing for the last hop from 27ED2046 to 17072058. |
17 |
Ideally the Gentoo people who know the key to be legitimate would have |
18 |
put their signatures to it. |
19 |
|
20 |
Regards, |
21 |
-- |
22 |
Anthony de Boer |
23 |
|
24 |
-- |
25 |
gentoo-security@g.o mailing list |