Am 30.07.2018 um 20:55 schrieb Willy Tarreau:
> I know and I've already thought about it. But I personally refuse to store
> my PGP key on any exposed machine. Right now in order to tag, I have to
> SSH into an isolated machine, run "git pull --tags", create-release, and
> "git push --tags". Then I upload the release.

In addition to what Vincent and Bertrand suggest I'd like to note that a
dedicated "haproxy Release Signing Key", even if stored on an exposed
machine, would be strictly better than just checksums, which could be
modified by anyone with access to the haproxy.org server.

This signing key could be signed by your personal PGP key and easily be
revoked in case it ever gets compromised.

Also I know nothing about the release process, but: Is the machine
signing the tags not used to upload the release Tarballs to haproxy.org?
I think it's strange that the parts of the release process are
distributed onto several machines (one to create the tag, one to create
the Tarball).

Best regards
Tim Düsterhus

Reply via email to