Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?

dana wrote on Fri, 10 Jul 2020 23:25 -0500:
> On 10 Jul 2020, at 18:49, Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx> wrote:
> > Agreed it'd be a good thing.  
> Yeah. I meant to get it sorted before, there just wasn't a convenient
> opportunity. I'm not very familiar with GPG trust etiquette, but if there's a
> good way we can establish trust remotely the next time we're collaborating or
> w/e that'd be OK with me

The general rule is that you should only sign somebody's public key if
you are *certain* that whoever controls the private key is indeed the
person whose name is on the key.

Some people say you should perform the verification in person against
a passport (or other government-issued photo id).

Other people argue that passports don't actually add much security,
since the average open source contributor is not able to identify
fake passports at a glance, and in any case verifying a passport
doesn't defend against state adversaries.

Before social distancing, verifying people's PGP keys at conferences
provided a social defence: to paraphrase Linus, many eyeballs make all
impersonators shallow.

In the end, the question is what would convince you that someone
who claims to be danielsh is in fact danielsh; and which people who are
already connected to the Web of Trust would be able to be convinced
that you are in fact the owner of the public key that bears your name.



Messages sorted by: Reverse Date, Date, Thread, Author