> You sign things with your own key and the server has a list of keys it > accepts things from. it removes your signature and signs your file > with it's own key. Afaik this is how Debian and etc manage package > uploads.
Just a thought - one mechanism is to require two signatures, or mandatory review. Suppose that Raphael and I are on the small list of blessed "deskbar NewStuff gatekeepers" (and this list may differ from the "epiphany NewStuff gatekeepers", for example). I upload my signed copy of foo, and Raphael uploads his signed copy of foo. The server verifies the two signatures, and that the two copies of foo are equal, and then gives it the official seal. Two orthogonal questions: Does anyone already do this? Is this a good idea? _______________________________________________ desktop-devel-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/desktop-devel-list
