[jitsi-users] Jitsi/Sip Communicator debian key. (apologies for the crossposting but its a matter of interest both for devs and for users)


#1

Hi, I do a lot of pro bono work for human rights organizations
(think Amnesty International and whatnot), including helping migrating
to libre software when the alternative is mature enough, and I do think
Jitsi would be a great replacement for jabber, specially once the
android version is finalized.
    However there is an issue, in this area man in the middle attacks
are more than just a theoretical hazard but clear and often present
threat, therefore I go to great lengths to make sure that when rolling
out custom desktop the repo keys have been double and triple checked and
are always passed on in a paper hardcopy along with instructions on how
to check them and report in case a mismatch crops up in the wild. (for
an example of an ongoing use of mitm look no further than Skype and the
Syrian crisis or even germany for that matter)
    Now the main issue I have with recommending Jitsi for a mass rollout
is the fact that the current signature on my end is from 2008 and is
self signed without any outside signatures which would allow for a chain
of trust.
    Would it be possible to generate a new packaging key signed by at
least a couple of users in the debian keyring for example (cd hardcopys
are easy to find and isos easy to validate in order to check the sigs),
so that a web of trust effect could be formed around the debian repos?
(or any other repo for example)
    Thank you for your time, kind regards,
        J.
P.S: this is the sig list for the current key right now:
pub 1024D/EB0AB654 2008-06-20
uid SIP Communicator (Debian package)
<deb-pkg@sip-communicator.org>

···

sig 3 EB0AB654 2008-06-20 SIP Communicator (Debian package) <deb-pkg@sip-communicator.org>
sub 2048g/F6EFCE13 2008-06-20
sig EB0AB654 2008-06-20 SIP Communicator (Debian package) <deb-pkg@sip-communicator.org>