2009/8/10 Robin Munn <email address hidden>:
> Personally, I don't use the fingerprints shown by Launchpad as a way of
> verifying the keys. As you indirectly point out, if someone's managed to
> substitute his own key for the official PPA key on Launchpad's servers,
> it will dutifully hand me the fingerprint of the fake key.
If the attacker can break into Launchpad they can cause arbitrary
packages to be signed by the existing key.
> Checking the
> fingerprint provided by Launchpad can't prove that to me, but checking a
> GPG signature (or ten) by the member(s) of the official Bazaar team can
> prove it.
Do you want me to do any checking before signing this key, or just go
ahead and sign it now?
2009/8/10 Robin Munn <email address hidden>:
> Personally, I don't use the fingerprints shown by Launchpad as a way of
> verifying the keys. As you indirectly point out, if someone's managed to
> substitute his own key for the official PPA key on Launchpad's servers,
> it will dutifully hand me the fingerprint of the fake key.
If the attacker can break into Launchpad they can cause arbitrary
packages to be signed by the existing key.
> Checking the
> fingerprint provided by Launchpad can't prove that to me, but checking a
> GPG signature (or ten) by the member(s) of the official Bazaar team can
> prove it.
Do you want me to do any checking before signing this key, or just go
ahead and sign it now?
-- launchpad. net/~mbp/>
Martin <http://