El dilluns, 6 de juny de 2016, a les 11:39:25 CEST, Sandro Knauß va escriure: > Hey, > > > Well, Albert and I use (the same user on) the same server to make > > releases. > > So the private key will have to be on that server, otherwise it will > > become > > very inconvenient (download, sign, upload). > > > > But if that's good enough, and if we can tell gpg2 which private key to > > use > > (so he and I don't use the same), then we can proceed with the idea. > > you don't need to have the privatekey on the server - We have gpg-agent and > ssh - so you can forward the gpg-agent to the server when doing a release. > That way the private keymatierial stays safe at your place: > > https://www.isi.edu/~calvin/gpgagent.htm
I agree a single gpg key makes more sense, but it also creates the problem with "to how many people do we give it so that bus factor is not a problem and trust factor of the key being stolen/misused is not either". Cheers, Albert > > Regards, > > sandro > _______________________________________________ > release-team mailing list > [email protected] > https://mail.kde.org/mailman/listinfo/release-team _______________________________________________ release-team mailing list [email protected] https://mail.kde.org/mailman/listinfo/release-team
