Security issue when importing GPG keys [was: Where to get key A714EB87D1B1F415?]
Michel D'HOOGE
list.dhooge at gmail.com
Fri Dec 8 07:53:43 UTC 2006
On Wednesday 06 December 2006 16:30, D. R. Evans wrote:
> > > I am fairly paranoid about not installing unsigned packages
On Thursday 07 December 2006 01:19, Michel D'HOOGE wrote:
> > Why do you believe you are safer once you downloaded the public
> > key of someone you don't know? As long as there is no "GPG trust path"
> > between you and the guy providing the packages, nothing has changed.
On Thursday 07 December 2006 14:39, Art Alexion wrote:
> Good point, except one thing. A pgp key at least insures that you continue
> to deal with the same person.
Yes. Good point for you too :-)
> Even outside repositories and email, we did
> not necessarily have a "trust path" for most people we deal with. Trust
> evolves over repeated dealings. At some point we take a chance, then after
> a positive course of experience, we develop trust.
I fully agree with that too. We don't have to physically meet the person to
give trust to him - there is a life outside of signing parties ;-)
However, what worries me is that everywhere (wikis, forums, MLs) you read that
to get rid of the APT warnings, you simply have to import GPG keys.
Technically, this is perfectly true. But as long as you don't know the
providers (most cases I guess), it would be even simpler to just go back to
old apt-get versions where the signatures weren't verified...
--
Michel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 483 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kubuntu-users/attachments/20061208/15ee54da/attachment.sig>
More information about the kubuntu-users
mailing list