signing tarballs

Dave Dykstra dwd at
Thu Jan 16 14:46:00 EST 2003

Martin left off some context that might confuse some list readers.  I
had inquired about how to sign the pre-release tarball.  I signed 
2.5.6pre1 with my personal key, but Martin suggested there be a team key.

On Thu, Jan 16, 2003 at 10:42:53AM +1100, Martin Pool wrote:
> [replied to list]
> There was a discussion about this on the Samba list a while ago
> Briefly
>   We should create a team signing key, with an lifetime of about a
>   year.  It has to be relatively short to allow for turnover in the
>   people who have access to the key.
>   The signing key must only be stored on secure machines, certainly
>   *not* on    (If it was on, somebody who
>   compromised that machine could also generate new signatures and it
>   would be pointless.)
>   The key should be signed by team members and other relevant people;
>   we should also sign each others' keys.
>   The key should be on the keyservers and on the web site.
> Unless you've already done so I'll create the key and send the private
> half to you and the public half to the website, keyservers, and list.

I have not done so, and if you're willing to set that up please go ahead.
A web page describing how to use the signature, like what you were talking
about on the samba list, would be great.

- Dave

More information about the rsync mailing list