From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, FORGED_YAHOO_RCVD,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 26148 invoked from network); 10 Jul 2020 21:58:22 -0000 Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2) by inbox.vuxu.org with ESMTPUTF8; 10 Jul 2020 21:58:22 -0000 Received: (qmail 12747 invoked by alias); 10 Jul 2020 21:58:12 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: Sender: zsh-workers@zsh.org X-Seq: 46228 Received: (qmail 23891 invoked by uid 1010); 10 Jul 2020 21:58:12 -0000 X-Qmail-Scanner-Diagnostics: from sonic305-21.consmr.mail.gq1.yahoo.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.102.3/25863. spamassassin: 3.4.4. Clear:RC:0(98.137.64.84):SA:0(-2.0/5.0):. Processed in 1.967375 secs); 10 Jul 2020 21:58:12 -0000 X-Envelope-From: vapniks@yahoo.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _spf.mail.yahoo.com designates 98.137.64.84 as permitted sender) X-YMail-OSG: apxV6p0VM1lz4BGmFkbjzV4kdTVLI9G773Att3fp2DgKGXxIN2mDU4Iv34RYypF Iqrs3w1AoVLYJRAm_LZoXz9Q577wVObOeJLtS47WtVsrvBDcNafmNrwthjTwROCBP_ZRGylEULG1 j1qc8qIbbgORIXZoPaQ8hlErwvokFd1U5vOeRXyTY2apbpg2Ar68zVegQ81rLlpIPdsJW63vmzSq 8wKEN3QJ7SzSOCFLWhD7oeQcrw9zcR0R6F8KBAcw.9Ocj6hzB4DrkBcyu7yAF6H411FOueTIfbGJ vdqv3RNil2KlDnPGPRuxUt_C1yfDCclM1ZzjYqow4sFbO.DOZW8RFH10s0Eah6n4dMxF9GbAB6Da xTT37afnDKCIG7EnyRp5hbq5SCEV5od3.21vP_BMHTxS3TTgtDfSm.iX9_i3ehkw2EKQ1i4A2NOv aPHCCbHGpRjJAMn0PerABkW7LT.Gjc3p87cDto8BjbBPI4JkQ0UH7_gxCfTG4WpjZqLAmr2WCn1c MDz.H9MYQj9aLDYcfPdsbTfBv_UF34jzqHM70T3_V2.S59UFgiAug87BOCaae9p3P9DjZh.y4tBN RA.ognLfZST_f_3LnN3ZM4KRISpzfjonJNzstSwj7s8ysy8qABe1t90d8a2xCWejw5bl8YDOcdzt wcuotIii2tlRbIegEE3Bzo4uWHh5pV2oPPMbtcXDUiacvud9y_Q9T9yoFkoEyu.7ebzzGoiCxp0R RKbeP2yNkCgHWSp9jqsrM_J0.v0mAvVWapwFso2r7APcpuBvbHYRpN14mC_4M0x5WHqhGRFixqAo 04XsQ_nw_PVtcMiMJru3Epe1U1NhwrOWHN.h6uWWTkRgHikWWG5HUKV_DNxWogbLqD_1ejngz1Qc 2g7QGrw3AqPTrFNeM.cElOUy8zQHO0WKyBvDlN7r9F1QPA3dWhFd90j4Dib7rKmQ67fBjzPxHdNq _3hHER3vTQqbR5Ged4UcdcaBg0ZO14yT9dLd5sdUYvkgBYSgb1l.3R2gq13dsNtLPj.8pYEvE673 VBVZWOU8grrUAc2W7EKk_RY6JX..ZN8EZ_hkwCbqWvIcvouxPvlgwNtMWx86UzgmN9ZHIvfrLFuC kURZM1VXg9.E84s.eJU7MEIHwZ.qc3dylIsKDmpf4gYYX1ADNQxawo9n5x62gDK1lmbx5wKz0Xz5 Vhw_ltzVfBczgBxWlHOeHLYe7NOxnMFrLl9_8hcwm2VipIm5cu5HSSvvtVxP4cwUMiDH0VYso_za 4TH4nA9chc1vHRDFGIfSLp_4.fjKoZYb2YsC4L1SMr.1eFOtnFybqJm813EDs3BSVUd1VHAgvOk0 - Date: Fri, 10 Jul 2020 21:47:27 +0000 (UTC) From: vapnik spaknik To: zsh-workers@zsh.org Message-ID: <1130466066.9798.1594417647695@mail.yahoo.com> Subject: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it? MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit References: <1130466066.9798.1594417647695.ref@mail.yahoo.com> X-Mailer: WebService/1.1.16271 YMailNodin Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/83.0.4103.61 Chrome/83.0.4103.61 Safari/537.36 Hi, the zsh tarballs available on sourceforge & zsh.org are signed by "dana@dana.is", but this key has no chain of trust associated with it, only self signatures. How do I know that "dana" is trustworthy, and hasn't hidden some malicious code in the tarball? I can see "dana@dana.is" listed in the ChangeLog, but that's not much reassurance (it could have been achieved with a simple search-replace). Considering how fundamental and frequently used zsh is, I think it's very important that we can trust the tarball, don't you? Here's a suggestion for some of the long term developers; why not contact each other by email and arrange a video conference to get to know each other a little bit, and sign each others public gpg keys? Joe Bloggs.