dwd at drdykstra.us
Thu Jan 16 14:46:00 EST 2003
Martin left off some context that might confuse some list readers. I
had inquired about how to sign the pre-release tarball. I signed
2.5.6pre1 with my personal key, but Martin suggested there be a team key.
On Thu, Jan 16, 2003 at 10:42:53AM +1100, Martin Pool wrote:
> [replied to list]
> There was a discussion about this on the Samba list a while ago
> We should create a team signing key, with an lifetime of about a
> year. It has to be relatively short to allow for turnover in the
> people who have access to the key.
> The signing key must only be stored on secure machines, certainly
> *not* on samba.org. (If it was on samba.org, somebody who
> compromised that machine could also generate new signatures and it
> would be pointless.)
> The key should be signed by team members and other relevant people;
> we should also sign each others' keys.
> The key should be on the keyservers and on the web site.
> Unless you've already done so I'll create the key and send the private
> half to you and the public half to the website, keyservers, and list.
I have not done so, and if you're willing to set that up please go ahead.
A web page describing how to use the signature, like what you were talking
about on the samba list, would be great.
More information about the rsync