Re: Packages getting created without signature

To: debian-mentors@lists.debian.org
Subject: Re: Packages getting created without signature
From: Kapil Hari Paranjape <kapil@imsc.res.in>
Date: Fri, 14 Dec 2007 14:46:57 +0530
Message-id: <20071214091657.GA22645@imsc.res.in>
Mail-followup-to: debian-mentors@lists.debian.org
In-reply-to: <14331749.post@talk.nabble.com>
References: <14292654.post@talk.nabble.com> <981da8a40712120323i57209cf2h473f6642abe2516@mail.gmail.com> <14294430.post@talk.nabble.com> <20071212125856.GA12219@debian.akumar.iitm.ac.in> <14310223.post@talk.nabble.com> <14313530.post@talk.nabble.com> <200712131221.53263.cobaco@linux.be> <981da8a40712130456x7366cf43g5a88829d1973a6c@mail.gmail.com> <14331749.post@talk.nabble.com>

Hello,

On Fri, 14 Dec 2007, iluvlinux wrote:
> Storing your passphrase in a file or ENV variable is never "safe" as told in
> documents and by mentors.

True enough. Yet ...

> than here's what i found:
> gpg's default home dir is ~/.gunpg (you can change it using --homedir
> option, using this option will,  upto some extent provides at-least some
> security as no one knows where your default directory is)
> create a file gpg.conf in that folder and edit it to contain text as
> "passphrase <your-passphrase>"

... here you are suggesting that you store the passphrase in a file!

A much better option is to use the gpg agent.

As far as signing packages is concerned, I would recommend that you
never do this "in the background". You need to verify the package
*before* you sign it. Your signature on the package affirms that you
have checked it as thoroughly as possible and are certifying this. So
run lintian, piuparts and so on before you sign a package.

Regards,

Kapil.
--

Reply to:

Follow-Ups:
- Re: Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>

References:
- Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>
- Re: Packages getting created without signature
  - From: "Michael Lamothe" <michael.lamothe@gmail.com>
- Re: Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>
- Re: Packages getting created without signature
  - From: Kumar Appaiah <akumar@ee.iitm.ac.in>
- Re: Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>
- Re: Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>
- Re: Packages getting created without signature
  - From: "cobaco (aka Bart Cornelis)" <cobaco@linux.be>
- Re: Packages getting created without signature
  - From: "Michael Lamothe" <michael.lamothe@gmail.com>
- Re: Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>

Prev by Date: Re: yes, GPL means GPL3 today... (Re: RFS: gnome-color-chooser)
Next by Date: Re: Packages getting created without signature
Previous by thread: Re: Packages getting created without signature
Next by thread: Re: Packages getting created without signature
Index(es):
- Date
- Thread