Posted Jul 18, 2008 0:33 UTC (Fri) by email@example.com (guest, #33287)
Parent article: Trust and mirrors
Glancing at the article referenced, I didn't see any mention of another concern I have long
had. How can I be sure _I_ have not indadvertently accepted a bogus signature key.
Is there some kind of survey tool to validate the keys for all installed packages -- that is
verify that they are valid keys known to (trusted by) the distributor?
I sort-of remember accepting unknown keys, not paying attention to keys, or (not sure)
accepting unsigned packages if that is possible.
I guess I'm saying that I don't trust myself to have always done the correct thing, so how do
I audit for this risk? ;-)