[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-release-team
Subject: Re: tarball signing
From: Albert Astals Cid <aacid () kde ! org>
Date: 2016-06-07 12:09:44
Message-ID: 2375628.52svRuZ59W () xps
[Download RAW message or body]
El dilluns, 6 de juny de 2016, a les 11:39:25 CEST, Sandro Knauß va escriure:
> Hey,
>
> > Well, Albert and I use (the same user on) the same server to make
> > releases.
> > So the private key will have to be on that server, otherwise it will
> > become
> > very inconvenient (download, sign, upload).
> >
> > But if that's good enough, and if we can tell gpg2 which private key to
> > use
> > (so he and I don't use the same), then we can proceed with the idea.
>
> you don't need to have the privatekey on the server - We have gpg-agent and
> ssh - so you can forward the gpg-agent to the server when doing a release.
> That way the private keymatierial stays safe at your place:
>
> https://www.isi.edu/~calvin/gpgagent.htm
I agree a single gpg key makes more sense, but it also creates the problem
with "to how many people do we give it so that bus factor is not a problem and
trust factor of the key being stolen/misused is not either".
Cheers,
Albert
>
> Regards,
>
> sandro
> _______________________________________________
> release-team mailing list
> release-team@kde.org
> https://mail.kde.org/mailman/listinfo/release-team
_______________________________________________
release-team mailing list
release-team@kde.org
https://mail.kde.org/mailman/listinfo/release-team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic