On Mon, Nov 28, 2011 at 2:30 PM, Stefano Zacchiroli wrote:
> Anyone up to summarizing what has been mentioned in this thread?
> I understand there is some opposition to the notion of guidelines at
> all, but having some would be useful to some people apparently, ... and
> others are not forced to
Hi,
Am Sonntag, den 30.10.2011, 17:33 + schrieb Lars Wirzenius:
> * Store your master PGP keys on at least two USB thumb drives.
> - use full-disk encryption on the drives
> - don't use them for anything else
given that PGP already protects keys with passphrases, what is the
benefit of ad
Henrique de Moraes Holschuh writes:
> One thing we have not talked about, is that of subkey validity. It is
> not that kosher to have anything signed in stable with a subkey which
> will not be valid for the lifetime of stable, so we should keep that in
> mind.
I currently use a one year expira
On Sun, Nov 06, 2011 at 01:44:08PM +0100, Tollef Fog Heen wrote:
> ]] Lars Wirzenius
>
> | Assuming we're talking about each developer's personal key: what
> | things would they be signing that matter? Package upload signatures
> | are relevant only until the upload gets accepted into the archive
]] Lars Wirzenius
| Assuming we're talking about each developer's personal key: what
| things would they be signing that matter? Package upload signatures
| are relevant only until the upload gets accepted into the archive, and
| after that it's the archive signing key that matters.
Source packa
On Sun, Nov 06, 2011 at 11:52:02AM +0100, Milan Zamazal wrote:
> I also agree that having a best practice document is useful.
>
> Here are some suggestions for clarification:
>
> - The wiki page says:
Meta-discussion note: the wiki page referred to is
http://wiki.debian.org/subkeys -- and all th
On Sun, 06 Nov 2011, Lars Wirzenius wrote:
> On Thu, Nov 03, 2011 at 03:44:36PM -0200, Henrique de Moraes Holschuh wrote:
> > One thing we have not talked about, is that of subkey validity. It is
> > not that kosher to have anything signed in stable with a subkey which
> > will not be valid for th
I also agree that having a best practice document is useful.
Here are some suggestions for clarification:
- The wiki page says: "Worse, if anyone else gets access to your private
master key, they can make everyone believe they're you: they can
upload packages in your name, vote in your name,
On Thu, Nov 03, 2011 at 05:38:51PM +0100, Jakub Wilk wrote:
> This seems to suggest that having multiple copies of the PGP key
> somehow improves security. However, at least for some attack
> scenarios, it's quite the opposite.
I'm sorry if I was too terse. The point of a backup copy of your
maste
On Thu, Nov 03, 2011 at 03:44:36PM -0200, Henrique de Moraes Holschuh wrote:
> One thing we have not talked about, is that of subkey validity. It is
> not that kosher to have anything signed in stable with a subkey which
> will not be valid for the lifetime of stable, so we should keep that in
> m
On Sat, Nov 05, 2011 at 11:51:33AM +0100, Andreas Schuldei wrote:
> > This thread reminds me of a Dutch management book entitled "Managing
> > Professionals? Don't do it!"[1].
> >
> i agree, rules like that become silly, quickly. but if someone
> explains good "best practice" to me and motivates w
On Sat, 05 Nov 2011, Thijs Kinkhorst wrote:
> This thread reminds me of a Dutch management book entitled "Managing
> Professionals? Don't do it!"[1].
Being an engineer, I can tell you that publishing guidelines and the
rationale behind them _is_ necessary even when the audience is competent
techni
* Thijs Kinkhorst (th...@debian.org) [05 08:57]:
> On Thu, November 3, 2011 18:44, Henrique de Moraes Holschuh wrote:
> > On Thu, 03 Nov 2011, Jakub Wilk wrote:
> >> * Lars Wirzenius , 2011-10-30, 17:33:
> >> >>Personally, I think some guidelines for DD's about securing
> >> >>their personal ma
On Thu, November 3, 2011 18:44, Henrique de Moraes Holschuh wrote:
> On Thu, 03 Nov 2011, Jakub Wilk wrote:
>> * Lars Wirzenius , 2011-10-30, 17:33:
>> >>Personally, I think some guidelines for DD's about securing
>> >>their personal machines where their private keys are located
>> >>would be a goo
On Thu, Nov 03, 2011 at 03:44:36PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 03 Nov 2011, Jakub Wilk wrote:
> > This seems to suggest that having multiple copies of the PGP key
>
> Multiple *offline* copies, in an encrypted container.
>
> > somehow improves security. However, at least f
On Thu, 03 Nov 2011, Jakub Wilk wrote:
> * Lars Wirzenius , 2011-10-30, 17:33:
> >>Personally, I think some guidelines for DD's about securing
> >>their personal machines where their private keys are located
> >>would be a good idea. It would be a lot better than just having
> >>a vague and ineffab
* Lars Wirzenius , 2011-10-30, 17:33:
Personally, I think some guidelines for DD's about securing their
personal machines where their private keys are located would be a good
idea. It would be a lot better than just having a vague and ineffable
thing called "trust".
I agree. I offer the follo
On a mailing list far far away, someone wrote:
> Personally, I think some guidelines for DD's about securing their
> personal machines where their private keys are located would be a good
> idea. It would be a lot better than just having a vague and ineffable
> thing called "trust".
I agree. I off
18 matches
Mail list logo
