[openstack-dev] [all] [stable] No longer doing stable point releases

Jeremy Stanley fungi at yuggoth.org
Mon Jun 8 15:42:13 UTC 2015


On 2015-06-07 10:55:29 +0200 (+0200), Thomas Goirand wrote:
> How do you gpg sign these tags? I hope the solution isn't to store
> a key in infra without a passphrase.

How does, e.g., Debian sign its Release file for
jessie-proposed-updates? I hope the solution isn't to store the
ftp-master automatic archive signing key in infra without a
passphrase. (This is a rhetorical question... I see from comments at
https://wiki.debian.org/SecureApt that it is indeed the case.) In
fact, I don't really mind this. It's at least an attestation that
the machine where the signature was generated had access to the
automatic signing key, which is in turn signed by and revocable by
the systems administrators entrusted to protect that machine.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150608/ab4c6062/attachment.pgp>


More information about the OpenStack-dev mailing list