[OpenAFS] OpenAFS RPMs and GPG signatures

Derrick Brashear shadow@gmail.com
Thu, 12 Jun 2008 00:12:39 -0400

On Wed, Jun 11, 2008 at 7:43 PM, Simon Wilkinson <sxw@inf.ed.ac.uk> wrote:
> On 11 Jun 2008, at 15:24, Alexander Bostr=F6m wrote:
>> Regarding the openafs.org RPMs, is there any chance of adding signatures
>> to them?
> Who do you trust?
> It would be trivial to arrange that the RPMs are automatically signed by =
> GPG key that lives on the build machine, with an unprotected private key.
> It's harder to arrange that they're signed by a key which requires manual
> intervention - but it would be possible for them to be signed, for exampl=
> by my GPG key.
> As for an OpenAFS key, who do you let sign packages with that key. What
> happens if someone with access to that key then leaves the project, etc,
> etc?

And this is why, incidentally, we haven't solved this yet.