| 1 |
On Mon, 8 Nov 2004 12:53:06 +0100 |
| 2 |
Tobias Klausmann <klausman@××××××××××××.de> wrote: |
| 3 |
|
| 4 |
> The idea of providing the keyring with the install images is a |
| 5 |
> double-edged sword: if I have no Internet, not having any keys |
| 6 |
> might be bad, but providing them with the image opens an attack |
| 7 |
> vector. |
| 8 |
|
| 9 |
This is a valid point, I was thinking along the lines of : when you get the install cd you have another cd that you can optionally stick in your machine, add the keys to your keyring, and start installing. You then know you have all the correct keys. |
| 10 |
|
| 11 |
Ideally the devs would meet at some specified place (a gentoo keyparty) every six months or year or so to exchange keys and prove identites. Only these keys would be added to the cd. The logistics of this would be interesting, in the "old chinese proverb" meaning of the word. :) |
| 12 |
|
| 13 |
Just a source of the keys when your installing would be nice, but I do see the the "double-edged" point. |
Archives