Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?

X-seq: zsh-workers 46228
From: vapnik spaknik <vapniks@xxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?
Date: Fri, 10 Jul 2020 21:47:27 +0000 (UTC)
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <1130466066.9798.1594417647695.ref@mail.yahoo.com>
Sender: zsh-workers@xxxxxxx

Hi,
    the zsh tarballs available on sourceforge & zsh.org are signed by "dana@xxxxxxx", but this key has no chain of trust associated with it, only self signatures. How do I know that "dana" is trustworthy, and hasn't hidden some malicious code in the tarball? I can see "dana@xxxxxxx" listed in the ChangeLog, but that's not much reassurance (it could have been achieved with a simple search-replace).
Considering how fundamental and frequently used zsh is, I think it's very important that we can trust the tarball, don't you?
Here's a suggestion for some of the long term developers; why not contact each other by email and arrange a video conference to get to know each other a little bit, and sign each others public gpg keys?

Joe Bloggs.

Follow-Ups:
- Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?
  - From: Daniel Shahaf

Messages sorted by: Reverse Date, Date, Thread, Author