Re: Crypto signing of packages
Jim Pick wrote:
> > * Three or four Project master keys held by separate people,
> > maintainers' working keys must be signed by some n-out-of-m of them.
> > * Revoke Project master keys by n-out-of-m of them; this way we can
> > gradually leave bad old keys behind.
> I don't think we need project master keys. What's wrong with just
> having a maintainer for a keyring, and distributing that.
You need more than one because if one go compromised, the other
signature still insure the validity of the keys signed while you're
doing the process of creating a new key, signing all the keys,
redistribute the keyring ...
| firstname.lastname@example.org email@example.com firstname.lastname@example.org
| Pluto Leader - Debian Developer & Happy Debian 1.3.1 User - vi-holic
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
> Just because Red Hat do it doesn't mean it's a good idea. [Ian J.]
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
Trouble? e-mail to email@example.com .