Re: Package signing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Ng Oon-Ee wrote:
>> Under which circunstances would you envision the need to trust an old,
>> compromised signature?
>>     
> New install, dev for a coupl of [extra] packages has already left the
> team. Having to recompile everytime a dev leaves the team is additional
> (unnecessary) hassle IMO, especially for bigger packages (openoffice and
> sons, I'm looking at you).
>   
If the user is trustable, I wouldn't remove the user key until after
he doesn't maintain any package any more (even though he can
have its access revoked).
If you need for some reason to keep them as trusted while
revoking the key, you could sign the other dev package, thus
taking responsibility on the integrity of that package (some users
may disagree and reject your packages because they don't accept
your policy).

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux