Re: Crypto signing of packages
>>"Ian" == Ian Jackson <ian@chiark.greenend.org.uk> writes:
I like this proposal better than the old one.
However; I'm not sure about competence or integrity requirements;
some how it goes against the grain for someone who is not issuing my
paycheck.
If we are going to act and issue key revocations about maintainer
keys, then we should recommend that maintainers generate a separate
key for package maintainence, and that key possibly be held in escrow
at the master key maintenance sites (It should need two out of three
sites to unlock the key database). The maintainer hols the other copy
of the secret key. The idea of holding the package-maintainer key in
escrow also allows us to deal with lost keys.
manoj
--
"Just out of curiosity does this actually mean something or have some
of the few remaining bits of your brain just evaporated?" Patricia O
Tuama, rissa@killer.DALLAS.TX.US
Manoj Srivastava <url:mailto:srivasta@acm.org>
Mobile, Alabama USA <url:http://www.datasync.com/%7Esrivasta/>
Reply to: