On 11 Jun 2008, at 15:24, Alexander Boström wrote:
Regarding the openafs.org RPMs, is there any chance of adding
signatures
to them?
Who do you trust?
It would be trivial to arrange that the RPMs are automatically signed
by a GPG key that lives on the build machine, with an unprotected
private key.
It's harder to arrange that they're signed by a key which requires
manual intervention - but it would be possible for them to be signed,
for example, by my GPG key.
As for an OpenAFS key, who do you let sign packages with that key.
What happens if someone with access to that key then leaves the
project, etc, etc?
And, ultimately, if the packages are getting signed without any form
of checks, do either of the latter two actually offer any more
security than the first?
S.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
