Verify repository's key
Hi,
According to wiki.ros.org/hydro/Installation/Debian to install ROS on Debian, the GnuPG-key used to sign the repository should be installed by using
wget packages.ros.org/ros.key -O - | sudo apt-key add -
However, the key stored in ros.key hasn't been signed by anyone and the server doesn't support HTTPS. So this key doesn't provide much security against person-in-the-middle-attacks. Would it be possible to have this key signed by admins or developers actively using GnuPG/PGP (i.e. they already participated a key-signing-party or otherweise exchanged they public key with some people), who can assure, that this is the genuine archive's key? Is there any SSL-enabled webserver available which could be used to provide the key?
Kind regards, B. Wildenhain
@William@tfoote