[OpenAFS] OpenAFS RPMs and GPG signatures
Derrick Brashear
shadow@gmail.com
Thu, 12 Jun 2008 00:12:39 -0400
On Wed, Jun 11, 2008 at 7:43 PM, Simon Wilkinson <sxw@inf.ed.ac.uk> wrote:
>
> On 11 Jun 2008, at 15:24, Alexander Bostr=F6m wrote:
>
>> Regarding the openafs.org RPMs, is there any chance of adding signatures
>> to them?
>
> Who do you trust?
>
> It would be trivial to arrange that the RPMs are automatically signed by =
a
> GPG key that lives on the build machine, with an unprotected private key.
>
> It's harder to arrange that they're signed by a key which requires manual
> intervention - but it would be possible for them to be signed, for exampl=
e,
> by my GPG key.
>
> As for an OpenAFS key, who do you let sign packages with that key. What
> happens if someone with access to that key then leaves the project, etc,
> etc?
And this is why, incidentally, we haven't solved this yet.