[Dev] Remote Lemote for Parabola development
Aurélien
aurelien at cwb.io
Thu Nov 8 17:40:29 GMT 2012
mtjm at mtjm.eu (Michał Masłowski) writes:
>> During the build you sign the packages with your gpg at the librerelease
>> time.
>
> With your private key for which the public key should be included in
> parabola-keyring.
>
>> Since it seems there is one machine for a tuples of people, modifying
>> one by one the /etc/libretools.conf on the key ID sounds weird.
>
> IMO we should use a separate keypair just for packages built on that
> machine.
>
> Most libretools load user-specific configuration files, they would
> literally answer your question.
>
>> So maybe we will need to redraw libretools.conf to ask for a key inside
>> the parabola-keyring and not just one known ID.
>
> I won't publish my private key and I don't want to download the packages
> just to sign them (it seems also pointless for security). I'm also not
> convinced that relating the keys to users signing the packages instead
> of the machine building them is useful.
Well ... that is why the question, how to make the things for
multi-builder without create a form of security holes?
--
Aurelien DESBRIERES
Ride Free! Ride GNU.org
More information about the Dev
mailing list