[clo-devel] Re: Please upload your public GPG key to common-lisp.net

Mario Mommer mommer at igpm.rwth-aachen.de
Tue Nov 11 07:46:23 UTC 2003


Erik Enge <eenge at prium.net> writes:
> Nikodemus Siivola <nikodemus at random-state.net> writes:
> 
> > Need To Know Basis, of course. As long as you're willing to shoulder
> > the signing, no-one else needs to know. If you think you need help,
> > then someone else as well.
> 
> I don't think I need help but if I get hit by the bus you're out of
> luck.  I think perhaps telling a couple of you will be appropriate.

Some redundancy would certainly be good. In case something bad happens
we would have to hack your box to run the site, btw.

>   We want users and developers who download software from this site to
>   have a way of verifying that what they just downloaded is indeed what
>   the author uploaded and that the author who uploaded the software
>   indeed is the author they think he is.  This will help in preventing
>   trojaned software to spread.
> 
>   For the user to verify a software package (usually a tarball or a zip
>   file), the author will need to sign said package use his <a
>   href="http://www.gnupg.org/">GPG</a> (or <a
>   href="http://www.pgp.com/>PGP</a> or similar technology) private key.
>   (For details on how to do this, check out the GnuPG site, for example,
>   which has several howto's and other useful documents.)
> 
>   Once the package has been signed, the user can then download the
>   package pluss the author's public key and verify that the public key
>   at hand signed the package he or she just downloaded.
> 
>   The weak link is of course that the user doesn't know if the public
>   key is the author's or not.  Here's where our signing policy comes
>   into play.  When developers apply for a project at common-lisp.net
>   they receive their passwords encrypted (by mail) and if they
>   successfully decrypt and answer the email, their public key will be
>   signed by the common-lisp.net keymaster.  Thus, the users will have a
>   means of verifying that they have the correct key.
> 
> Poorly worded but does this capture our intent?

I think it does. It is ok.

Regards,
        Mario





More information about the clo-devel mailing list