commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robert burrell donkin <robertburrelldon...@blueyonder.co.uk>
Subject Re: [all] MD5 and PGP generation [Was: [feedparser] News / Status]
Date Thu, 02 Mar 2006 22:49:36 GMT
On Thu, 2006-03-02 at 14:03 -0800, Henri Yandell wrote:
> Yeah, running it isn't really the problem. Managing the key when you
> don't use it for email is the bit that got painful.

you don't really need to do any key management (unless you want to). a
key used for code signing can just be get safe on removable media until
it's needed. 

building a strong web of trust requires key management but even that's
not too painful if you only do it at apachecon. 

> We're not supposed to be using the pgp on minotaur; so my TODO is to
> figure out how to get my key off of there, hope I still know the
> passphrase, 

i hope so too :)

there are various ways to export the key but copying the files should
work fine too. 

> come up with some kind of more-secure-than-minotaur
> machine to put it on (really not sure where I'd put it) and get things
> started there.

the argument for not storing keys is about defence in depth, not about
security. if minotaur is compromised, all the releases which are signed
only by keys on minotaur must be regarded as suspect. if your key is
cracked but minotaur is not then even the release signed with your key
alone are not suspect. 

but that's not an argument for not keeping the key safe.

- robert


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message