My question is, why sarge-ISO's are not signed with the ftpmaster-key.
I want to download a Sarge DVD and verify the Signature of the
MD5SUM-File to see if it's not manipulated an I can check the md5-Sums
with it later.
gpg tells me, that the signature can not be verified, because I don't
have the public key on my keyring. I expected that the ISO's (the
MD5SUM-Files) are signed with the ftpmaster-Key, which is on my
keyring.
If I tell gpg to get the key from the keyserver, it tells me that the Key is not found. After investigating a while in the net I found out, that the key belongs to Steve McIntyre (steve@einval.com), sombody I never heard of. That's shure because I don't konow the debian Project very well. But I don't think it's a very good way to sign the most important downloads with a key only debian-insiders know. Why isn't the ftpmaster key used?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Why ISO's not signed with ftpmaster key?
-
Jeroen
- Debian Developer, Site Admin
- Posts: 483
- Joined: 2004-04-06 18:19
- Location: Utrecht, NL
- Contact:
CDs and DVDs are not produced by the ftp-master team, and therefore not signed by their (our) key.
I do believe it'd be good to sign it with some better known general key, but in whatever means that's arranged, just a key isn't trusted and doesn't add any value in itself, it'll need to be signed by people who manage the cd/dvd building to introduce it into the strong set, and then you're basicly back to square one.
For what it's worth, Steve McIntyre is the debian developer coordinating and doing the cd/dvd building. You will find that his key is signed by a large quantity of debian developers.
You can start a discussion on the 'debian-cd@lists.debian.org' list to get this dealt with better, I'm sure people are willing to discuss it and work on it. FTP-master keys might get some different handlig too, because with apt-get signatures are now checked by default (maybe a different key for stable releases?), and then we can think about signing cd/dvd's with that same key too.
--Jeroen
Member of ftp-master team
Also the administrator of cd/dvd building machine
I do believe it'd be good to sign it with some better known general key, but in whatever means that's arranged, just a key isn't trusted and doesn't add any value in itself, it'll need to be signed by people who manage the cd/dvd building to introduce it into the strong set, and then you're basicly back to square one.
For what it's worth, Steve McIntyre is the debian developer coordinating and doing the cd/dvd building. You will find that his key is signed by a large quantity of debian developers.
You can start a discussion on the 'debian-cd@lists.debian.org' list to get this dealt with better, I'm sure people are willing to discuss it and work on it. FTP-master keys might get some different handlig too, because with apt-get signatures are now checked by default (maybe a different key for stable releases?), and then we can think about signing cd/dvd's with that same key too.
--Jeroen
Member of ftp-master team
Also the administrator of cd/dvd building machine