[openstack-dev] [all] [stable] No longer doing stable point releases
zigo at debian.org
Tue Jun 9 09:00:02 UTC 2015
On 06/08/2015 05:42 PM, Jeremy Stanley wrote:
> On 2015-06-07 10:55:29 +0200 (+0200), Thomas Goirand wrote:
>> How do you gpg sign these tags? I hope the solution isn't to store
>> a key in infra without a passphrase.
> How does, e.g., Debian sign its Release file for
> jessie-proposed-updates? I hope the solution isn't to store the
> ftp-master automatic archive signing key in infra without a
> passphrase. (This is a rhetorical question... I see from comments at
> https://wiki.debian.org/SecureApt that it is indeed the case.) In
> fact, I don't really mind this. It's at least an attestation that
> the machine where the signature was generated had access to the
> automatic signing key, which is in turn signed by and revocable by
> the systems administrators entrusted to protect that machine.
Fair enough. And I'll trust you will safeguard everything correctly.
More information about the OpenStack-dev