I keep the keys that I've used to sign the releases that I have done on a floppy disk away from any networked system. If you have the sign keys on an Apache server and if these servers ever get hacked (and it _will_ happen), then you have compromised the whole chain of trust.
I very much prefer to keep the signing keys away from networked infrastructure. Regards Henning On Sun, 2004-07-18 at 01:32, Howard Lewis Ship wrote: > I wish we could get away from PGP keys (though I understand it helps > limit liability). It tends to be a decidely manual step, and error > prone. I generate my PGP keys on my local machine and upload, it > might be easier if I could figure out how to get my GnuPG key > translated to a PGP key compatible with the tools on > jakarta.apache.org, so I could sign the files there. > > On Sat, 17 Jul 2004 12:25:20 +0100, robert burrell donkin > <[EMAIL PROTECTED]> wrote: > > On 15 Jul 2004, at 20:51, Stefan Bodewig wrote: > > > > <snip> > > > > > BTW, I just now realized that we have a couple of releases that are > > > neither PGP signed nor accompanied by MD5 hashes, this should be > > > strongly discouraged IMHO. In particular since Ant supports > > > generation of MD5 hashes since a few years now - and so does Maven. > > > > +1 > > > > i'm not sure what can be done about it, though. maybe the pmc could > > insist that all new release have sums and signatures. > > > > > Finally I'd move the section about archived builds to the bottom as > > > well. Thinking about it, I should probably mock up a design to show > > > what I mean, will do so next week unless I get shot down before 8-) > > > > > > > cool. > > > > i've been playing around with tables so maybe i'll post up a mock > > somewhere too. > > > > - robert > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > -- Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH [EMAIL PROTECTED] +49 9131 50 654 0 http://www.intermeta.de/ RedHat Certified Engineer -- Jakarta Turbine Development -- hero for hire Linux, Java, perl, Solaris -- Consulting, Training, Development "Fighting for one's political stand is an honorable action, but re- fusing to acknowledge that there might be weaknesses in one's position - in order to identify them so that they can be remedied - is a large enough problem with the Open Source movement that it deserves to be on this list of the top five problems." --Michelle Levesque, "Fundamental Issues with Open Source Software Development" --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]