signing tarballs
Dave Dykstra
dwd at drdykstra.us
Thu Jan 16 14:46:00 EST 2003
Martin left off some context that might confuse some list readers. I
had inquired about how to sign the pre-release tarball. I signed
2.5.6pre1 with my personal key, but Martin suggested there be a team key.
On Thu, Jan 16, 2003 at 10:42:53AM +1100, Martin Pool wrote:
> [replied to list]
>
> There was a discussion about this on the Samba list a while ago
>
> http://lists.samba.org/pipermail/samba-technical/2002-November/040931.html
>
> Briefly
>
> We should create a team signing key, with an lifetime of about a
> year. It has to be relatively short to allow for turnover in the
> people who have access to the key.
>
> The signing key must only be stored on secure machines, certainly
> *not* on samba.org. (If it was on samba.org, somebody who
> compromised that machine could also generate new signatures and it
> would be pointless.)
>
> The key should be signed by team members and other relevant people;
> we should also sign each others' keys.
>
> The key should be on the keyservers and on the web site.
>
> Unless you've already done so I'll create the key and send the private
> half to you and the public half to the website, keyservers, and list.
I have not done so, and if you're willing to set that up please go ahead.
A web page describing how to use the signature, like what you were talking
about on the samba list, would be great.
- Dave
More information about the rsync
mailing list