Re: Crypto signing of packages

To: debian-devel@lists.debian.org
Subject: Re: Crypto signing of packages
From: Manoj Srivastava <srivasta@datasync.com>
Date: 28 Feb 1997 20:55:55 -0600
Message-id: <[🔎] 87ybc8l3qo.fsf@tiamat.datasync.com>
In-reply-to: Ian Jackson's message of Fri, 28 Feb 97 18:40 GMT
References: <[🔎] m0w0XEW-0004QqC@chiark.greenend.org.uk>

>>"Ian" == Ian Jackson <ian@chiark.greenend.org.uk> writes:

 I like this proposal better than the old one. 

 However; I'm not sure about competence or integrity requirements;
 some how it goes against the grain for someone who is not issuing my
 paycheck. 

 If we are going to act  and issue key revocations about maintainer
 keys, then we should recommend that maintainers generate a separate
 key for package maintainence, and that key possibly be held in escrow
 at the master key maintenance sites (It should need two out of three
 sites to unlock the key database). The maintainer hols the other copy
 of the secret key. The idea of holding the package-maintainer key in
 escrow also allows us to deal with lost keys.

	manoj

-- 
 "Just out of curiosity does this actually mean something or have some
 of the few remaining bits of your brain just evaporated?" Patricia O
 Tuama, rissa@killer.DALLAS.TX.US
Manoj Srivastava               <url:mailto:srivasta@acm.org>
Mobile, Alabama USA            <url:http://www.datasync.com/%7Esrivasta/>

Reply to:

References:
- Re: Crypto signing of packages
  - From: Ian Jackson <ian@chiark.greenend.org.uk>

Prev by Date: Packages available.
Next by Date: Re: Possible framework for `debmake replacement'
Previous by thread: Re: Crypto signing of packages
Next by thread: Re: Crypto signing of packages
Index(es):
- Date
- Thread