Need GCC 3.3.6 PGP Signing Public Key

Need GCC 3.3.6 PGP Signing Public Key

[imacat]

[-- Attachment #1: Type: text/plain, Size: 735 bytes --]

Dear all,

    This is imacat from Taiwan.  I was downloading GCC 3.3.6.  I saw it
was signed by PGP key 902C9419, and it displayed its owner as Gabriel
Dos Reis.  But I can't find any other public source that can prove this
key as her/his, not even on GCC website http://gcc.gnu.org/ or Savannah. 
Did I miss something?  Is that key 902C9419 really her/his?  Could
someone confirm about this, or better, publish that PGP signing key
somewhere, on GCC website?  Thank you.

--
Best regards,
imacat ^_*' <imacat@mail.imacat.idv.tw>
PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt

<<Woman's Voice>> News: http://www.wov.idv.tw/
Tavern IMACAT's: http://www.imacat.idv.tw/
TLUG List Manager: http://www.linux.org.tw/mailman/listinfo/tlug

[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]

Re: Need GCC 3.3.6 PGP Signing Public Key

[Gerald Pfeifer]

On Sat, 28 May 2005, imacat wrote:
>     This is imacat from Taiwan.  I was downloading GCC 3.3.6.  I saw it
> was signed by PGP key 902C9419, and it displayed its owner as Gabriel
> Dos Reis.  But I can't find any other public source that can prove this
> key as her/his, not even on GCC website http://gcc.gnu.org/ or Savannah. 
> Did I miss something?  Is that key 902C9419 really her/his?  Could
> someone confirm about this, or better, publish that PGP signing key
> somewhere, on GCC website?  Thank you.

Gaby added his key to the website now, but I agree that we should make
sure the keys are sufficiently well signed by other members of the free
software (or open source) community.

Many of us will meet at the GCC Summit next month in Ottawa, and I
suggest we all make sure to improve the web of trust in the GCC
community (and especially as far as the release managers are concerned).

Gerald

Re: Need GCC 3.3.6 PGP Signing Public Key

[Gabriel Dos Reis]

Gerald Pfeifer <gerald@pfeifer.com> writes:

| On Sat, 28 May 2005, imacat wrote:
| >     This is imacat from Taiwan.  I was downloading GCC 3.3.6.  I saw it
| > was signed by PGP key 902C9419, and it displayed its owner as Gabriel
| > Dos Reis.  But I can't find any other public source that can prove this
| > key as her/his, not even on GCC website http://gcc.gnu.org/ or Savannah. 
| > Did I miss something?  Is that key 902C9419 really her/his?  Could
| > someone confirm about this, or better, publish that PGP signing key
| > somewhere, on GCC website?  Thank you.
| 
| Gaby added his key to the website now, but I agree that we should make
| sure the keys are sufficiently well signed by other members of the free
| software (or open source) community.

I'm a bit surprised because I uploaded my new key last december,
shortly before signing 3.3.5.

| 
| Many of us will meet at the GCC Summit next month in Ottawa, and I
| suggest we all make sure to improve the web of trust in the GCC
| community (and especially as far as the release managers are concerned).

I'm planning to be there.

-- Gaby

Re: Need GCC 3.3.6 PGP Signing Public Key

[Gerald Pfeifer]

On Sat, 28 May 2005, Gabriel Dos Reis wrote:
>| Gaby added his key to the website now, but I agree that we should make
>| sure the keys are sufficiently well signed by other members of the free
>| software (or open source) community.
> I'm a bit surprised because I uploaded my new key last december,
> shortly before signing 3.3.5.

As far as I understand, it's not a question of these keys being available 
on a key server, but having sufficiently many signatures and proper paths
of trust.

For example, I could easily create a key for Gabriel Dos Reis 
<gdr@pfeifer.com> and upload it to the key servers, or some evil
hacker could do something similar.

>| Many of us will meet at the GCC Summit next month in Ottawa
> I'm planning to be there.

Excellent.  Let's make sure you'll get one or two dozen of signatures
for your PGP key there! :-)

Gerald

Re: Need GCC 3.3.6 PGP Signing Public Key

[imacat]

[-- Attachment #1: Type: text/plain, Size: 1650 bytes --]

    Thank you all.  I was worrying that nobody would ever notice or be
interested in this issue.  I'd downloaded and checked the key and it
matches.  Thank you. ^_*'

    I would like to join you in Ottawa if possible, but I can't afford
it. ^^;  For people like me that have difficulty joining your web of
trust would certainly need other, public sources to verify.  Thank you
for your help on this.

On Sat, 28 May 2005 17:55:18 +0200 (CEST)
Gerald Pfeifer <gerald@pfeifer.com> wrote:

> On Sat, 28 May 2005, Gabriel Dos Reis wrote:
> >| Gaby added his key to the website now, but I agree that we should make
> >| sure the keys are sufficiently well signed by other members of the free
> >| software (or open source) community.
> > I'm a bit surprised because I uploaded my new key last december,
> > shortly before signing 3.3.5.
> 
> As far as I understand, it's not a question of these keys being available 
> on a key server, but having sufficiently many signatures and proper paths
> of trust.
> 
> For example, I could easily create a key for Gabriel Dos Reis 
> <gdr@pfeifer.com> and upload it to the key servers, or some evil
> hacker could do something similar.
> 
> >| Many of us will meet at the GCC Summit next month in Ottawa
> > I'm planning to be there.
> 
> Excellent.  Let's make sure you'll get one or two dozen of signatures
> for your PGP key there! :-)
> 
> Gerald

--
Best regards,
imacat ^_*' <imacat@mail.imacat.idv.tw>
PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt

<<Woman's Voice>> News: http://www.wov.idv.tw/
Tavern IMACAT's: http://www.imacat.idv.tw/
TLUG List Manager: http://www.linux.org.tw/mailman/listinfo/tlug

[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]

Re: Need GCC 3.3.6 PGP Signing Public Key

[Russ Allbery]

Gerald Pfeifer <gerald@pfeifer.com> writes:

> For example, I could easily create a key for Gabriel Dos Reis
> <gdr@pfeifer.com> and upload it to the key servers, or some evil hacker
> could do something similar.

And, in fact, people do; this is not just theoretical.  There is an extra
(unsigned) key for Russ Allbery <rra@stanford.edu> on the keyservers that
I had nothing to do with.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>