On 2015-06-07 10:55:29 +0200 (+0200), Thomas Goirand wrote: > How do you gpg sign these tags? I hope the solution isn't to store > a key in infra without a passphrase.
How does, e.g., Debian sign its Release file for jessie-proposed-updates? I hope the solution isn't to store the ftp-master automatic archive signing key in infra without a passphrase. (This is a rhetorical question... I see from comments at https://wiki.debian.org/SecureApt that it is indeed the case.) In fact, I don't really mind this. It's at least an attestation that the machine where the signature was generated had access to the automatic signing key, which is in turn signed by and revocable by the systems administrators entrusted to protect that machine. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
