Re: upstream source code authenticity checking

[Russ Allbery <rra () stanford edu>]

Alistair Crooks <agc () pkgsrc org> writes:

> And if you seriously think someone who searches for my public key on a
> webserver, or through mail, or business card, etc, downloads my public
> key from one of the servers, imports it into their own pubring, signs it
> with their own private key, then mails it to me, or uploads it to one of
> the key servers, all without trusting me in any way, then I'll show you
> a pretty awful stalker (and fairly inefficient one, due to the need to
> sign my pubkey), a fan boy (which is hardly likely to happen in my
> case), or someone who is rather sad. (I'm discounting impaired judgement
> due to the baroque processes involved here, sorry xkcd).

I routinely do this.  It's called a key-signing party.  The only trust
that I am expressing with that signature is that I have seen and verified,
to the best of my ability, some form of reliable identification for that
person (ideally a passport I can verify, or a social environment in which
it would be very difficult to impersonate someone you are not) in
combination with a proof that the key I signed belongs to the person whose
identification I checked.

Just because someone attended a key-signing party doesn't mean that I
would, say, trust them to install software on my system.

-- 
Russ Allbery (rra () stanford edu)             <http://www.eyrie.org/~eagle/>