[OpenAFS] OpenAFS RPMs and GPG signatures

Simon Wilkinson sxw@inf.ed.ac.uk
Thu, 12 Jun 2008 00:43:10 +0100

On 11 Jun 2008, at 15:24, Alexander Bostr=F6m wrote:

> Regarding the openafs.org RPMs, is there any chance of adding =20
> signatures
> to them?

Who do you trust?

It would be trivial to arrange that the RPMs are automatically signed =20=

by a GPG key that lives on the build machine, with an unprotected =20
private key.

It's harder to arrange that they're signed by a key which requires =20
manual intervention - but it would be possible for them to be signed, =20=

for example, by my GPG key.

As for an OpenAFS key, who do you let sign packages with that key. =20
What happens if someone with access to that key then leaves the =20
project, etc, etc?

And, ultimately, if the packages are getting signed without any form =20
of checks, do either of the latter two actually offer any more =20
security than the first?