commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Kitching <skitch...@apache.org>
Subject Re: [all] MD5 and PGP generation [Was: [feedparser] News / Status]
Date Fri, 03 Mar 2006 00:40:12 GMT
On Thu, 2006-03-02 at 14:50 -0800, Henri Yandell wrote:
> > > We're not supposed to be using the pgp on minotaur; so my TODO is to
> > > figure out how to get my key off of there, hope I still know the
> > > passphrase,
> >
> > i hope so too :)
> >
> > there are various ways to export the key but copying the files should
> > work fine too.
> 
> Advice is to revoke it - as who knows what you evil buggers have been
> doing to it :)

It's not because people with access to minotaur are untrustworthy that
keys shouldn't be there :-)

It's that if the key is on there, someone who hacks that machine has
*both* the key *and* the ability to publish what would seem to be
"official" releases.

If the key is on your home machine, then someone has to hack *both* that
*and* minotaur to do the same. Even if your home machine isn't that
secure, it's an improvement.

At least that's how I understand it.

Cheers,

Simon


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message