Willy, Am 30.07.2018 um 20:55 schrieb Willy Tarreau: > I know and I've already thought about it. But I personally refuse to store > my PGP key on any exposed machine. Right now in order to tag, I have to > SSH into an isolated machine, run "git pull --tags", create-release, and > "git push --tags". Then I upload the release.
In addition to what Vincent and Bertrand suggest I'd like to note that a dedicated "haproxy Release Signing Key", even if stored on an exposed machine, would be strictly better than just checksums, which could be modified by anyone with access to the haproxy.org server. This signing key could be signed by your personal PGP key and easily be revoked in case it ever gets compromised. Also I know nothing about the release process, but: Is the machine signing the tags not used to upload the release Tarballs to haproxy.org? I think it's strange that the parts of the release process are distributed onto several machines (one to create the tag, one to create the Tarball). Best regards Tim Düsterhus