I've just generated a GPG key for signing Subversion releases. It's a
2048-bit, DSA+ElGamal key. The idea (suggested by Ben Reser) was to
have a shared maintainer key that the person doing a particular
release would use to sign that release. The key would be personally
signed by as many Subversion developers as we can reliably verify.
For example, I can get three more sitting right here (Ben C-S, Mike
Pilato, and Brian Fitzpatrick), plus Sander Striker over the phone,
etc, etc. Pretty soon, the trust network would floodfill and almost
every current developer would have been able to sign the key.
Of course, individuals can & should personally sign releases too, so
that the shortest trust path is available to any given downloader.
The purpose of a shared key is twofold:
1. Once someone has verified that they trust that particular key,
they never have to go through that work again. They can trust
every subsequent release just by verifying the signature. (This
is the advantage of a digital signature over MD5. It's not that
it's more secure, it's that it's more convenient over the long
run.)
2. A shared key gives us a clear moment when the release is
"blessed" by the group.
However, I just talking to Sander Striker in IRC today, and he had
some objections to using a shared key. So, Sander, please follow up.
Then I was talking to Ben Reser, who had some defenses of the plan.
So Ben, please follow up (but maybe wait for Sander, so we get a nice
point/counterpoint pattern going, can sell tickets to spectators, etc).
I guess I'll keep the new key here for a while, until we decide what
we're doing.
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Mar 17 18:50:30 2004