[openstack-dev] [all] [stable] No longer doing stable point releases
fungi at yuggoth.org
Mon Jun 8 15:42:13 UTC 2015
On 2015-06-07 10:55:29 +0200 (+0200), Thomas Goirand wrote:
> How do you gpg sign these tags? I hope the solution isn't to store
> a key in infra without a passphrase.
How does, e.g., Debian sign its Release file for
jessie-proposed-updates? I hope the solution isn't to store the
ftp-master automatic archive signing key in infra without a
passphrase. (This is a rhetorical question... I see from comments at
https://wiki.debian.org/SecureApt that it is indeed the case.) In
fact, I don't really mind this. It's at least an attestation that
the machine where the signature was generated had access to the
automatic signing key, which is in turn signed by and revocable by
the systems administrators entrusted to protect that machine.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: Digital signature
More information about the OpenStack-dev