On 2015-03-04 1:10 PM, matt wrote: > use a pgp signing key with pass phrase and sign the release / packages > files. ubuntu already does this. > You also need to sign the packages before uploading. You can sign the packages AND the repository. Both are done by different actors: uploader, repo manager. -- Mathieu