Re: PGP signing releases

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There are generally two ways to do it: have a "project" key, or have
each developer use their own key. The advantage of the first way is
that each release is signed by the same key, which is clearly
associated with the project. The disadvantage is control, security,
and accountablility. The second way pretty much reverses the
arguments: each key is controlled by one person, but there is no
obvious mapping between that person and the project. Individual keys
also have a history associated with them, and are usually already
integrated into the Web of Trust.

Many projects use the individual method, including Apache, GnuPG, and
OpenSSH. Some use the project method, such as sendmail and proftpd.
Either is okay with me, but some questions need to be answered if
using a project key:

Who will actually hold the key? Where will it be physically kept?

How many people will know the passphrase?

Who will be responsible for signing the files? Is there a backup person?

Will it be a signing-only key? What size? Should it expire?

How is verification of the files before signing accomplished?

I've got some ideas about most of those, especially the last two. This will
not be that easy of a process, but on the other hand, new versions do not
appear very frequently, and it is important to get this right the first time.

- --
Greg Sabino Mullane greg(at)turnstep(dot)com
PGP Key: 0x14964AC8 200302041207

-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iD8DBQE+P/XQvJuQZxSWSsgRAuKEAJwPKMe/nlBIk/Qm/dh2BbPvXbUQ4gCfeVqD
8TkRv3JkZ9T7t2YYBaCVc24=
=RnK6
-----END PGP SIGNATURE-----