Very glad to hear that the multiple-otr-key functionality will be in the
nightlies soon, that will solve one of the biggest usage issues that my
local group of XMPP contacts have been having since we started using
Jitsi earlier in the month.
We're looking at Jitsi as the key application for instant messaging and
VoIP as part of the CryptoParty we're running in Devon in February, and
I've realised that I'm not sure how to 'trust' the XMPP binaries.
In the 'nightlies' folder, PGP signatures are being provided for each
debian package, however I can't find a link to your PGP public key
(which I would expect to find on a keyserver with an associated web of
trust) or signatures for the stable binaries, which are the ones we've
been looking at. Is there a reason why neither of these things are
provided, or am I simply looking in the wrong place?
This brings me to the line 'Note that once you install one of the Jitsi
debian packages, our debian repository would be automatically added to
your package sources so that you would be able to easily upgrade.',
which means that an unverified binary package is now installing a link
back to a repository which has not been manually trusted at any point in
the install process. Public key verification of the original install
package would solve this problem.
Grateful for any feedback!