Verification via the web of trust

Peter Lebbing peter at
Thu Mar 24 10:53:28 CET 2016

On 23/03/16 22:07, Doug Barton wrote:
> 1. You don't know if the key was in full control of the
> person/organization it purports to represent before, during, or after
> the signatures you are trusting were applied.
> 2. You don't know if the person in control of the key at the time the
> thing you care about was signed was being coerced, or not.

These situations are rather more extreme than "is somebody MITM'ing my
connection to the webserver". If you can decide that somebody
authorized by the Apache Foundation to sign off on releases actually did
sign the code you got, that's actually of value.

The trust starts somewhere, there is always some base step where you say
"I can't verify further, this will do". There are no absolutes in this
game. In fact, the two points you give are /always/ valid. They do not
make signatures useless.

If I can conclude that the Debian project accepts signatures by someone
for releases of the Apache webserver, I feel pretty confident that so
can I. Somebody might actually be playing a very intricate game. Well,
they seem to have managed to subvert a majorly large Linux
distribution[1], I might as well give up against this actor, I'm no
match for them.

My 2 cents,


[1] Or alternatively, the installation media from which I installed
Debian, because again, the trust has to start somewhere.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list