signing tarballs
Martin Pool
mbp at samba.org
Wed Jan 15 23:45:01 EST 2003
[replied to list]
There was a discussion about this on the Samba list a while ago
http://lists.samba.org/pipermail/samba-technical/2002-November/040931.html
Briefly
We should create a team signing key, with an lifetime of about a
year. It has to be relatively short to allow for turnover in the
people who have access to the key.
The signing key must only be stored on secure machines, certainly
*not* on samba.org. (If it was on samba.org, somebody who
compromised that machine could also generate new signatures and it
would be pointless.)
The key should be signed by team members and other relevant people;
we should also sign each others' keys.
The key should be on the keyservers and on the web site.
Unless you've already done so I'll create the key and send the private
half to you and the public half to the website, keyservers, and list.
--
Martin
More information about the rsync
mailing list