-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There are generally two ways to do it: have a "project" key, or have each developer use their own key. The advantage of the first way is that each release is signed by the same key, which is clearly associated with the project. The disadvantage is control, security, and accountablility. The second way pretty much reverses the arguments: each key is controlled by one person, but there is no obvious mapping between that person and the project. Individual keys also have a history associated with them, and are usually already integrated into the Web of Trust. Many projects use the individual method, including Apache, GnuPG, and OpenSSH. Some use the project method, such as sendmail and proftpd. Either is okay with me, but some questions need to be answered if using a project key: Who will actually hold the key? Where will it be physically kept? How many people will know the passphrase? Who will be responsible for signing the files? Is there a backup person? Will it be a signing-only key? What size? Should it expire? How is verification of the files before signing accomplished? I've got some ideas about most of those, especially the last two. This will not be that easy of a process, but on the other hand, new versions do not appear very frequently, and it is important to get this right the first time. - -- Greg Sabino Mullane [EMAIL PROTECTED] PGP Key: 0x14964AC8 200302041207 -----BEGIN PGP SIGNATURE----- Comment: http://www.turnstep.com/pgp.html iD8DBQE+P/XQvJuQZxSWSsgRAuKEAJwPKMe/nlBIk/Qm/dh2BbPvXbUQ4gCfeVqD 8TkRv3JkZ9T7t2YYBaCVc24= =RnK6 -----END PGP SIGNATURE----- ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/users-lounge/docs/faq.html
