[arch-general] Package signing

Linas linas_fi at ymail.com
Thu Apr 29 21:51:17 CEST 2010

Ng Oon-Ee wrote:
>> Under which circunstances would you envision the need to trust an old,
>> compromised signature?
> New install, dev for a coupl of [extra] packages has already left the
> team. Having to recompile everytime a dev leaves the team is additional
> (unnecessary) hassle IMO, especially for bigger packages (openoffice and
> sons, I'm looking at you).
If the user is trustable, I wouldn't remove the user key until after
he doesn't maintain any package any more (even though he can
have its access revoked).
If you need for some reason to keep them as trusted while
revoking the key, you could sign the other dev package, thus
taking responsibility on the integrity of that package (some users
may disagree and reject your packages because they don't accept
your policy).

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the arch-general mailing list