[clo-devel] Re: Please upload your public GPG key to common-lisp.net

[Erik Enge]

Nikodemus Siivola <nikodemus at random-state.net> writes:

> Need To Know Basis, of course. As long as you're willing to shoulder
> the signing, no-one else needs to know. If you think you need help,
> then someone else as well.

I don't think I need help but if I get hit by the bus you're out of
luck.  I think perhaps telling a couple of you will be appropriate.

How's this for the website:

  We want users and developers who download software from this site to
  have a way of verifying that what they just downloaded is indeed what
  the author uploaded and that the author who uploaded the software
  indeed is the author they think he is.  This will help in preventing
  trojaned software to spread.

  For the user to verify a software package (usually a tarball or a zip
  file), the author will need to sign said package use his <a
  href="http://www.gnupg.org/">GPG</a> (or <a
  href="http://www.pgp.com/>PGP</a> or similar technology) private key.
  (For details on how to do this, check out the GnuPG site, for example,
  which has several howto's and other useful documents.)

  Once the package has been signed, the user can then download the
  package pluss the author's public key and verify that the public key
  at hand signed the package he or she just downloaded.

  The weak link is of course that the user doesn't know if the public
  key is the author's or not.  Here's where our signing policy comes
  into play.  When developers apply for a project at common-lisp.net
  they receive their passwords encrypted (by mail) and if they
  successfully decrypt and answer the email, their public key will be
  signed by the common-lisp.net keymaster.  Thus, the users will have a
  means of verifying that they have the correct key.

Poorly worded but does this capture our intent?

Erik.