Secrecy and user trust
Jeff Spaleta
jspaleta at gmail.com
Fri Sep 5 16:46:51 UTC 2008
On Fri, Sep 5, 2008 at 5:59 AM, Bill Davidsen <davidsen at tmr.com> wrote:
> This is a (hopefully) one-time problem, and therefore it probably doesn't
> need a perfect, automated, runs-by-itelf solution. And my assumption has
> been that some people at other repositories do personally know and interact
> with official people in the Fedora project, and that there is an out-of-band
> way to pass information to the people at some other repository.
Your assumption absolutely breaks the trust metric. Assume your wrong. Assume
that 3rd party repositories are treated just like any other end-user
to Fedora...because they are just other end-users with absolutely no
special relationship. Assume that.. because that's how it stands.
> Given the
> nature of the problem, that could mean carrying a CD a hundred miles to meet
> with someone who is personally known to you from a presentation, etc, etc.
> It need not be pretty, let's assume that this is a one-time problem.
Are seriously telling us to wait to distribute keys to people so we
can get updates flowing again until someone has flown several hundred
miles and done the GPG key signing dance with a 3rd party repo
signatory and then flown back? Right now for this one time problem..
that is absolutely not worth it. Nor with that ever be worth it.
Especially since every single one of our users were already using a
key that didn't rely on a physical face-to-face 3rd party key signing
up to this point.
-jef
More information about the fedora-list
mailing list