nocturn
October 12th, 2006, 07:37 AM
I received an USN yesterday that did not come from Martin as most do.
It came from Kees Cook and it was PGP signed (which is commendable).
Yet, I did not have his key in my keyring, so I fetched it from a keyserver (no big deal here). But after that, there came the trust issue.
It was not signed with any trusted signature (not even Martin's). I checked out the signatures, and there seems no central canonical signature in it.
So I think it would be good to have a key-signing key that signs the keys for the people that send out USN's so we know they really do belong to canonical/Ubuntu (not that I have doubts in this case, but it should be obvious).
What do you guys think about this?
It came from Kees Cook and it was PGP signed (which is commendable).
Yet, I did not have his key in my keyring, so I fetched it from a keyserver (no big deal here). But after that, there came the trust issue.
It was not signed with any trusted signature (not even Martin's). I checked out the signatures, and there seems no central canonical signature in it.
So I think it would be good to have a key-signing key that signs the keys for the people that send out USN's so we know they really do belong to canonical/Ubuntu (not that I have doubts in this case, but it should be obvious).
What do you guys think about this?