At 10:26 AM 04/17/2001, [EMAIL PROTECTED] wrote:
Someone who wasn't attributed wrote:
> > The KEYS file does not need to go into the distribution. Heck,
> I'd suggest
> > that it specifically *NOT* go into the distro.
Absolutely. If the keys file is in the tarball, then there's really
no point in having it signed, since someone else could generate
another keys file to go into their tarball. The keys file needs to
come from somewhere trustworthy, or it's useless.
> >
> > Assuming no KEYS file in the distro, then step (2) can be ignored.
> >
> > A KEYS file on the public site (whichever of the bazillion
> redundant copies)
> > needs a key, tho.
>
>I seriously disagree. I thought a lot about this before I posted,
>because I was trying to figure out why the site said you needed the
>KEYS file to be up-to-date before the tag. The reason is
>simple. If I just downloaded the 2.0.17 tarball, and I want to get
>the KEYS file, I am going to go to CVS, and grab the one with the
>2.0.17 tag.
That assumes the user knows something about CVS, and where to find
the keys file. It also requires a separate keys file for every
project. If there is a central keys file on the web, or at least one
per project, then the user can just go to that page (probably the
download page) and get the current keys file.
--
Greg Marr
[EMAIL PROTECTED]
"We thought you were dead."
"I was, but I'm better now." - Sheridan, "The Summoning"
