| 1 |
Kurt Lieber wrote: |
| 2 |
> ... The person in charge |
| 3 |
> of releasing 2004.1 signed the ISOs with a sub-key of a personal key which |
| 4 |
> was set to expire shortly after 2004.1 was released. I'm going to remove |
| 5 |
> the .asc files from our mirrors now to try and avoid further user |
| 6 |
> confusion. |
| 7 |
> |
| 8 |
> My apologies for the mistake -- we'll try and make sure we do some better |
| 9 |
> planning for 2004.2. |
| 10 |
|
| 11 |
2004.2 is signed with a nice new <releng@g.o> key, keyid 17072058, |
| 12 |
but unfortunately that key itself isn't signed by anyone at all, such |
| 13 |
that I could trace the web of trust from my own key to it. |
| 14 |
|
| 15 |
For example, PGP Pathfinder sees multiple paths from my 8A560A4E to your |
| 16 |
27ED2046, but nothing for the last hop from 27ED2046 to 17072058. |
| 17 |
Ideally the Gentoo people who know the key to be legitimate would have |
| 18 |
put their signatures to it. |
| 19 |
|
| 20 |
Regards, |
| 21 |
-- |
| 22 |
Anthony de Boer |
| 23 |
|
| 24 |
-- |
| 25 |
gentoo-security@g.o mailing list |
Archives