On 06/08/2015 05:42 PM, Jeremy Stanley wrote: > On 2015-06-07 10:55:29 +0200 (+0200), Thomas Goirand wrote: >> How do you gpg sign these tags? I hope the solution isn't to store >> a key in infra without a passphrase. > > How does, e.g., Debian sign its Release file for > jessie-proposed-updates? I hope the solution isn't to store the > ftp-master automatic archive signing key in infra without a > passphrase. (This is a rhetorical question... I see from comments at > https://wiki.debian.org/SecureApt that it is indeed the case.) In > fact, I don't really mind this. It's at least an attestation that > the machine where the signature was generated had access to the > automatic signing key, which is in turn signed by and revocable by > the systems administrators entrusted to protect that machine.
Fair enough. And I'll trust you will safeguard everything correctly. :) Thomas __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev