Re: Crypto signing of packages

To: Jim Pick <jim@jimpick.com>
Cc: Manoj Srivastava <srivasta@datasync.com>, debian-devel@lists.debian.org
Subject: Re: Crypto signing of packages
From: Fabrizio Polacco <fpolacco@icenet.fi>
Date: Sat, 25 Oct 1997 02:50:03 +0300
Message-id: <[🔎] 3451342B.554B5201@icenet.fi>
References: <[🔎] 87en5b6jxw.fsf@tiamat.datasync.com> <[🔎] 87sotqyj4r.fsf@fleming.jimpick.com>

Jim Pick wrote:
> 
> > * Three or four Project master keys held by separate people,
> > maintainers' working keys must be signed by some n-out-of-m of them.
> >
> > * Revoke Project master keys by n-out-of-m of them; this way we can
> > gradually leave bad old keys behind.
> 
> I don't think we need project master keys.  What's wrong with just
> having a maintainer for a keyring, and distributing that.

You need more than one because if one go compromised, the other
signature still insure the validity of the keys signed while you're
doing the process of creating a new key, signing all the keys,
redistribute the keyring ...


Fabrizio
-- 
| fpolacco@icenet.fi    fpolacco@debian.org    fpolacco@pluto.linux.it
| Pluto Leader - Debian Developer & Happy Debian 1.3.1 User - vi-holic
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
> Just because Red Hat do it doesn't mean it's a good idea. [Ian J.]


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Re: Crypto signing of packages
  - From: Manoj Srivastava <srivasta@datasync.com>
- Re: Crypto signing of packages
  - From: Jim Pick <jim@jimpick.com>

Prev by Date: Re: unofficial package repository and the bugs system
Next by Date: Re: bug or not??? pppd
Previous by thread: Re: Crypto signing of packages
Next by thread: [paolos@ares.omninet.it: Re: atp 1.2 copyright]
Index(es):
- Date
- Thread