[arch-general] Package signing
Linas
linas_fi at ymail.com
Thu Apr 29 21:51:17 CEST 2010
Ng Oon-Ee wrote:
>> Under which circunstances would you envision the need to trust an old,
>> compromised signature?
>>
> New install, dev for a coupl of [extra] packages has already left the
> team. Having to recompile everytime a dev leaves the team is additional
> (unnecessary) hassle IMO, especially for bigger packages (openoffice and
> sons, I'm looking at you).
>
If the user is trustable, I wouldn't remove the user key until after
he doesn't maintain any package any more (even though he can
have its access revoked).
If you need for some reason to keep them as trusted while
revoking the key, you could sign the other dev package, thus
taking responsibility on the integrity of that package (some users
may disagree and reject your packages because they don't accept
your policy).
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the arch-general
mailing list