On Monday 30 March 2009 08:28:12 Stanisław T. Findeisen wrote:
Mikkel L. Ellertson wrote:
> Let me see - The Gnupg package is included with Fedora. RPMs are
> signed with a GPG key - each version has its own key. The extra
> repositories have their own keys. When their was a possibility that
> the keys had been compromised, new keys were issued. It is not like
> Fedora isn't already using gpg...
>
> About the only change I can see would be signing the files needed to
> do a network install...
I was talking about the community more, than about the repos. Is GnuPG
widely used in the community? How about the people from M$ world?
Again: promoting GnuPG would promote:
* GNU
* free software
* security and authenticity
* bazaar model
* mutual trust
all at the same time.
Maybe that would be better than to sit and wait for Microsoft/whatever
to sell everybody his X.509.... Wide use of encryption/digital
signatures will come sooner or later, I guess.
If you examine my key you will see that it is signed by a number of people who
have properly verified that I am who I say I am. This is essential for the
web of trust to work, but frankly it is not understood by many people, and
I've seen conversations where people will sign anyone's key. The whole web of
trust falls apart when this happens.
Since the criteria for correct verification is very precise, I can't see most
people getting their keys signed, and without that, the point of using a key
is very limited.
Anne
--
New to KDE4? - get help from
http://userbase.kde.org
Just found a cool new feature? Add it to UserBase