I keep the keys that I've used to sign the releases that I have done on
a floppy disk away from any networked system. If you have the sign keys
on an Apache server and if these servers ever get hacked (and it _will_
happen), then you have compromised the whole chain of trust.
I very much prefer to keep the signing keys away from networked
infrastructure.
Regards
Henning
On Sun, 2004-07-18 at 01:32, Howard Lewis Ship wrote:
> I wish we could get away from PGP keys (though I understand it helps
> limit liability). It tends to be a decidely manual step, and error
> prone. I generate my PGP keys on my local machine and upload, it
> might be easier if I could figure out how to get my GnuPG key
> translated to a PGP key compatible with the tools on
> jakarta.apache.org, so I could sign the files there.
>
> On Sat, 17 Jul 2004 12:25:20 +0100, robert burrell donkin
> <[EMAIL PROTECTED]> wrote:
> > On 15 Jul 2004, at 20:51, Stefan Bodewig wrote:
> >
> > <snip>
> >
> > > BTW, I just now realized that we have a couple of releases that are
> > > neither PGP signed nor accompanied by MD5 hashes, this should be
> > > strongly discouraged IMHO. In particular since Ant supports
> > > generation of MD5 hashes since a few years now - and so does Maven.
> >
> > +1
> >
> > i'm not sure what can be done about it, though. maybe the pmc could
> > insist that all new release have sums and signatures.
> >
> > > Finally I'd move the section about archived builds to the bottom as
> > > well. Thinking about it, I should probably mock up a design to show
> > > what I mean, will do so next week unless I get shot down before 8-)
> > >
> >
> > cool.
> >
> > i've been playing around with tables so maybe i'll post up a mock
> > somewhere too.
> >
> > - robert
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
--
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH
[EMAIL PROTECTED] +49 9131 50 654 0 http://www.intermeta.de/
RedHat Certified Engineer -- Jakarta Turbine Development -- hero for hire
Linux, Java, perl, Solaris -- Consulting, Training, Development
"Fighting for one's political stand is an honorable action, but re-
fusing to acknowledge that there might be weaknesses in one's
position - in order to identify them so that they can be remedied -
is a large enough problem with the Open Source movement that it
deserves to be on this list of the top five problems."
--Michelle Levesque, "Fundamental Issues with
Open Source Software Development"
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
