[OpenAFS] OpenAFS RPMs and GPG signatures
Thu, 12 Jun 2008 00:43:10 +0100
On 11 Jun 2008, at 15:24, Alexander Bostr=F6m wrote:
> Regarding the openafs.org RPMs, is there any chance of adding =20
> to them?
Who do you trust?
It would be trivial to arrange that the RPMs are automatically signed =20=
by a GPG key that lives on the build machine, with an unprotected =20
It's harder to arrange that they're signed by a key which requires =20
manual intervention - but it would be possible for them to be signed, =20=
for example, by my GPG key.
As for an OpenAFS key, who do you let sign packages with that key. =20
What happens if someone with access to that key then leaves the =20
project, etc, etc?
And, ultimately, if the packages are getting signed without any form =20
of checks, do either of the latter two actually offer any more =20
security than the first?