[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PROPOSAL: GPG Signing of Releases

From: Mark Benedetto King <mbk_at_lowlatency.com>
Date: 2004-04-07 02:19:03 CEST

On Tue, Apr 06, 2004 at 04:43:31PM -0700, Justin Erenkrantz wrote:
>
> I hereby vote -1 (i.e. non-veto No) against this. I think a shared key is
> about the worst thing we could do to solve this problem. -- justin
>

I propose that Karl Fogel sign the public keys of the CollabNet folks and anyone
else he can reliably authenticate and that those keys be stored in

http://svn.collab.net/repos/svn/trunk/KEYS

(Why Karl Fogel? His public key is already well-known and available at
 http://www.red-bean.com/~kfogel/public-key.html)

These signed keys can then be used to sign the public keys of the other
committers when and if they can be authenticated to the satisfaction of the
holders of already signed keys. These keys can be signed multiple times.

Policy decisions about how to determine whether a particular key has enough
signature-mojo in order to be trusted to sign a release is a different
decision.

--ben

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Apr 7 04:45:38 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.