signing tarballs

Martin Pool mbp at
Wed Jan 15 23:45:01 EST 2003

[replied to list]

There was a discussion about this on the Samba list a while ago


  We should create a team signing key, with an lifetime of about a
  year.  It has to be relatively short to allow for turnover in the
  people who have access to the key.

  The signing key must only be stored on secure machines, certainly
  *not* on    (If it was on, somebody who
  compromised that machine could also generate new signatures and it
  would be pointless.)

  The key should be signed by team members and other relevant people;
  we should also sign each others' keys.

  The key should be on the keyservers and on the web site.

Unless you've already done so I'll create the key and send the private
half to you and the public half to the website, keyservers, and list.


More information about the rsync mailing list