Re: PGP signing release

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Greg Copeland <greg(at)CopelandConsulting(dot)Net>
Cc: Curt Sampson <cjs(at)cynic(dot)net>, PostgresSQL Hackers Mailing List <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: PGP signing release
Date: 2003-02-12 02:17:45
Message-ID: 200302120217.h1C2HjJ20328@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


I hate to poo-poo this, but this "web of trust" sounds more like a "web
of confusion". I liked the idea of mentioning the MD5 in the email
announcement. It doesn't require much extra work, and doesn't require a
'web of %$*&" to be set up to check things. Yea, it isn't as secure as
going through the motions, but if someone breaks into that FTP server
and changes the tarball and MD5 file, we have much bigger problems than
someone modifying the tarballs; our CVS is on that machine too.

---------------------------------------------------------------------------

Greg Copeland wrote:
> On Tue, 2003-02-11 at 18:27, Curt Sampson wrote:
> > On Wed, 11 Feb 2003, Greg Copeland wrote:
> >
> > > On Wed, 2003-02-05 at 18:53, Curt Sampson wrote:
> > >
> > > [Re: everybody sharing a single key]
> > >
> > > This issue doesn't change regardless of the mechanism you pick. Anyone
> > > that is signing a key must take reasonable measures to ensure the
> > > protection of their key.
> >
> > Right. Which is why you really want to use separate keys: you can determine
> > who compromised a key if it is compromised, and you can revoke one without
> > having to revoke all of them.
> >
> > Which pretty much inevitably leads you to just having the developers use
> > their own personal keys to sign the release.
> >
> > > Basically, you are saying:
> > > You trust a core developer
> > > You trust they can protect their keys
> > > You trust they can properly distribute their trust
> > > You don't trust a core developer with a key
> >
> > Not at all. I trust core developers with keys, but I see no reason to
> > weaken the entire system by sharing keys when it's not necessary. Having
> > each developer sign the release with his own personal key solves every
> > problem you've brought up.
> >
> > cjs
>
> You need to keep in mind, I've not been advocating, rather, clarifying.
> The point being, having a shared key between trusted core developers is
> hardly an additional risk. After all, either they can be trusted or
> they can't.
>
> At this point, I think we both understand where the other stands.
> Either we agree or agree to disagree. The next step is for the
> developers to adopt which path they prefer to enforce and to ensure they
> have the tools and knowledge at hand to support it.
>
> Anyone know if Tom and Bruce know each other well enough to sign each
> other's keys outright, via phone, via phone and snail-mail? That would
> put us off to an excellent start.
>
>
> Regards,
>
> --
> Greg Copeland <greg(at)copelandconsulting(dot)net>
> Copeland Computer Consulting
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Christopher Kings-Lynne 2003-02-12 02:42:42 Re: [HACKERS] PostgreSQL Benchmarks
Previous Message Tatsuo Ishii 2003-02-12 02:00:00 Re: Changing the default configuration