On 03/03/06, Henri Yandell <[EMAIL PROTECTED]> wrote: > On 3/2/06, Simon Kitching <[EMAIL PROTECTED]> wrote: > > On Thu, 2006-03-02 at 14:50 -0800, Henri Yandell wrote: > > > > > We're not supposed to be using the pgp on minotaur; so my TODO is to > > > > > figure out how to get my key off of there, hope I still know the > > > > > passphrase, > > > > > > > > i hope so too :) > > > > > > > > there are various ways to export the key but copying the files should > > > > work fine too. > > > > > > Advice is to revoke it - as who knows what you evil buggers have been > > > doing to it :) > > > > It's not because people with access to minotaur are untrustworthy that > > keys shouldn't be there :-) > > That was one of the reasons I was given :) > > > It's that if the key is on there, someone who hacks that machine has > > *both* the key *and* the ability to publish what would seem to be > > "official" releases. > > The solution to that is easy though. Two apache machines. So must be > more than that.
If releases are signed on committers private machines, then this is more than two machines ... and each private machine will only have a few private keys on it. By the by, generating the signing keys with a short life-span (1-2 years) should help protect in the long term. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]