[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PROPOSAL: GPG Signing of Releases

From: Brian W. Fitzpatrick <fitz_at_red-bean.com>
Date: 2004-04-06 23:08:52 CEST

On Tue, 2004-04-06 at 13:47, Ben Reser wrote:
> Seeing as not very many people have responded to the earlier thread and
> my embedded proposal, I'm posting a separate email clearly titled...
>
> I'm proposing that we have a project key which will be held by the
> CollabNet folks for the time being. However, the project keys signature
> would not be the only signature on a release.

I'm all for having multiple committers sign a release for the purpose of
providing multiple trust paths to the signer's key, but I'm against the
idea of a "shared key". I discussed this a bit with Ben Laurie, and he
said:

    Shared keys are bad, for the obvious reason that you have to:

    a) Share it, implying some other shared form of trust in the first
       place.
    b) Revoke it when anyone leaves.

I see no benefit gained by having this key.

-Fitz

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 6 23:09:37 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.