On Fri, 2005-03-04 at 12:20 -0500, Scott Lawrence wrote: > I'm looking for advise on best practices for setting up a repository > with respect to package signing. > > Clearly, rpms should be signed by a key available from the repository > site. I plan to set up our web server so that the key is available only > via https, which makes it more difficult to spoof the server. > > We plan to use a key that is maintained by the project itself - not any > individual persons key. > > My question has to do with other measures to ensure the trust of that > key - do repository &| package maintainers generally sign the package- > signing keys with other keys to get it related to other trust networks? We don't. We have a public key we published to the various keyservers and we keep a known-reliable copy of it safe and sound somewhere. it's a hard call - but the web-of-trust concepts only go but so far. -sv
