Re: PROPOSAL: GPG Signing of Releases

Justin Erenkrantz <justin@erenkrantz.com> writes:
> again, I'll strongly advise that you don't create a shared key - even
> for a 'test' run. Once you create it, we're going to be bound to use
> it forever - whether you think we should or not - it's there and its
> absence will cause worry among people who have seen it before.

Oh -- if we're going to bound forever to use it, then I wouldn't
create it. The potential to abandon it is a precondition of the
experiment, as far as I'm concerned.

Do you think its absence later would cause real worry?

> I think you're also ignoring the fact that most of the other
> developers have stated that they are against having a shared key.

The majority is not *so* overwhelming as to stop all discussion :-).

The point I'm trying to make (but didn't make very clearly before) is
just this:

By signing only with individual keys, *we* make a certain
security/convenience tradeoff choice for all Subversion users, instead
of letting them make that choice.

But by signing with individual keys and a project key, we let each
user make the choice for themselves. They're free to ignore the
project key, and find a trust path to one of the individual signers
instead, if they don't like the idea of a shared key. Or, if they
want to go with convenience, they can trust the project key every time
they download.

Since it's the user's security & hassle in question here, I feel it's
somewhat better to give them the choice than to make it for them.

However, it's not the most important issue in the world either. If we
decide that dropping the shared key later would look too bad, then we
shouldn't start with it now, IMHO.

Does that clarify things a bit better?

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 12 18:43:02 2004