Re: PGP signing releases

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To answer some of my earlier questions, here is one specific way of doing it:

Tom Lane creates a PostgreSQL key, signing only, DSA, 1024 bits, that expires
in 3 years. It ends up looking something like this:

pub 1024D/0BB10D1D 2003-02-07 PostgreSQL (PostgreSQL signing key) <key(at)postgresql(dot)org>

Tom keeps a close watch on the commits list and waits for a new version to be
released. When the tarball is made, he checks it out and when satisfied, he
signs it with the key. (Other people can look it over and verify it by referring
to its sha1sum).

Once signed, the small text file that is created is mailed to the web group (or
just posted to the list). Somebody adds it to the web page, and from there to all
the mirrors. Tom keeps the key secure, preferably by not keeping it on a box connected
to the net. He generates a revocation certificate and gives it to Bruce, who
squirrels it away until needed. Tom signs the key with his own, and perhaps with
other developers who have PGP keys. People meet Tom at the conferences, exchange keys,
the Web of Trust grows, and all is good in the world again.

I chose Tom because he is part of the core and has (IMO) the best ability to
detect problems in the source code and verify a final tarball.

It doesn't really matter who has the key, actually, as long as they are sufficiently
careful/paranoid about keeping it safe and offline, and at least one person in
the core group has the ability to revoke it in case of an emergency.

- --
Greg Sabino Mullane greg(at)turnstep(dot)com
PGP Key: 0x14964AC8 200302071451

-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iD8DBQE+RBJovJuQZxSWSsgRAh3XAJ47eL56YmSKXJCtdAsyYzByMi+m2QCcCNjm
b1tQyp1zLxkpGjhUer6FpZQ=
=Hfpu
-----END PGP SIGNATURE-----