[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] OpenPGP verification for gentoo-mirror repos
From:       Zac Medico <zmedico () gentoo ! org>
Date:       2016-10-31 19:17:49
Message-ID: d5bdb435-9839-4a5d-c8c3-4474d1f25295 () gentoo ! org
[Download RAW message or body]

On 10/31/2016 01:34 AM, Michał Górny wrote:
> The major difference between a developer key and an automated key is
> that the latter is far easier target. I think we can trust Gentoo
> developers to at least have their keys encrypted. I suppose most of
> them don't 'git log -p' the commits their sign but well, it's still
> harder to target a developer PC than a public server that most likely
> keeps its signature key unencrypted (or with cleartext password).

How about if we use subkeys that expire every 3 months or so.
Realistically, won't that provide a reasonable level of security? That
way, whoever is stealing our keys for the purposes of man-in-the-middle
attacks will have to get a new copy of our key every 3 months.
-- 
Thanks,
Zac

[prev in list] [next in list] [prev in thread] [next in thread]