Re: PROPOSAL: GPG Signing of Releases

From: Brian W. Fitzpatrick <fitz_at_red-bean.com>
Date: 2004-04-06 23:08:52 CEST

On Tue, 2004-04-06 at 13:47, Ben Reser wrote:
> Seeing as not very many people have responded to the earlier thread and
> my embedded proposal, I'm posting a separate email clearly titled...
>
> I'm proposing that we have a project key which will be held by the
> CollabNet folks for the time being. However, the project keys signature
> would not be the only signature on a release.

I'm all for having multiple committers sign a release for the purpose of
providing multiple trust paths to the signer's key, but I'm against the
idea of a "shared key". I discussed this a bit with Ben Laurie, and he
said:

Shared keys are bad, for the obvious reason that you have to:

    a) Share it, implying some other shared form of trust in the first
       place.
    b) Revoke it when anyone leaves.

I see no benefit gained by having this key.

-Fitz

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 6 23:09:37 2004

This message: [ Message body ]
Next message: C. Michael Pilato: "Re: [PATCH] Fix to svn_time_to_human_cstring() - take 3"
Previous message: kfogel_at_collab.net: "Re: [PATCH] Fix to svn_time_to_human_cstring() - take 3"
In reply to: Ben Reser: "PROPOSAL: GPG Signing of Releases"
Next in thread: Jani Averbach: "Re: PROPOSAL: GPG Signing of Releases"
Reply: Jani Averbach: "Re: PROPOSAL: GPG Signing of Releases"
Reply: Ben Reser: "Re: PROPOSAL: GPG Signing of Releases"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]