Am 03.11.2013 09:50, schrieb Pierre Schmitz:
I don't see how this could work. If you sign a package using that key pacman will happily accept it as valid. So if nymeria gets compromised the attacker obtains a valid packager key. Imho implementing db sigs this way is less secure than not implementing it at all.
We can use a subkey of a valid packager key. That way, revoking the subkey is very easy and doesn't need 5 people, but just one. If we secure the private key properly on nymeria (see my first mail), then compromising nymeria is not sufficient, you actually need to become root there (which hopefully shouldn't be too easy). Actually, other distributions have keys on their servers for signatures, too, even to sign packages (I remember seeing very unpersonal, repository-based PGP key on openSuSE).