[lxc-devel] Something to think about (PGP signing)...
Michael H. Warfield
mhw at WittsEnd.com
Mon Apr 8 17:01:21 UTC 2013
Hey all,
With the release of 0.9.0 I started thinking about something. We're not
signing those tarballs with PGP or even publishing MD5/SHA-1/SHA-256
checksums on them. That has been kind of a standard practice with a lot
of packages, most particularly with anything that can impact security.
the Samba packages (I'm on the Samba Team) are all signed and the team
signing key has been signed by several of us, including me, that anchors
it all the way back to the "dead trees edition" book of the web of trust
fingerprints.
As we're now opening up the branch heading for 1.0, should we start
thinking about establishing a key, getting it signed, and starting to
use it for releases?
Just food for though.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130408/e3493e7b/attachment.pgp>
More information about the lxc-devel
mailing list