[email protected] (Michał Masłowski) writes: >> During the build you sign the packages with your gpg at the librerelease >> time. > > With your private key for which the public key should be included in > parabola-keyring. > >> Since it seems there is one machine for a tuples of people, modifying >> one by one the /etc/libretools.conf on the key ID sounds weird. > > IMO we should use a separate keypair just for packages built on that > machine. > > Most libretools load user-specific configuration files, they would > literally answer your question. > >> So maybe we will need to redraw libretools.conf to ask for a key inside >> the parabola-keyring and not just one known ID. > > I won't publish my private key and I don't want to download the packages > just to sign them (it seems also pointless for security). I'm also not > convinced that relating the keys to users signing the packages instead > of the machine building them is useful.
Well ... that is why the question, how to make the things for multi-builder without create a form of security holes? -- Aurelien DESBRIERES Ride Free! Ride GNU.org _______________________________________________ Dev mailing list [email protected] https://lists.parabolagnulinux.org/mailman/listinfo/dev
