[clo-devel] Re: Please upload your public GPG key to common-lisp.net
mommer at igpm.rwth-aachen.de
Tue Nov 11 07:46:23 UTC 2003
Erik Enge <eenge at prium.net> writes:
> Nikodemus Siivola <nikodemus at random-state.net> writes:
> > Need To Know Basis, of course. As long as you're willing to shoulder
> > the signing, no-one else needs to know. If you think you need help,
> > then someone else as well.
> I don't think I need help but if I get hit by the bus you're out of
> luck. I think perhaps telling a couple of you will be appropriate.
Some redundancy would certainly be good. In case something bad happens
we would have to hack your box to run the site, btw.
> We want users and developers who download software from this site to
> have a way of verifying that what they just downloaded is indeed what
> the author uploaded and that the author who uploaded the software
> indeed is the author they think he is. This will help in preventing
> trojaned software to spread.
> For the user to verify a software package (usually a tarball or a zip
> file), the author will need to sign said package use his <a
> href="http://www.gnupg.org/">GPG</a> (or <a
> href="http://www.pgp.com/>PGP</a> or similar technology) private key.
> (For details on how to do this, check out the GnuPG site, for example,
> which has several howto's and other useful documents.)
> Once the package has been signed, the user can then download the
> package pluss the author's public key and verify that the public key
> at hand signed the package he or she just downloaded.
> The weak link is of course that the user doesn't know if the public
> key is the author's or not. Here's where our signing policy comes
> into play. When developers apply for a project at common-lisp.net
> they receive their passwords encrypted (by mail) and if they
> successfully decrypt and answer the email, their public key will be
> signed by the common-lisp.net keymaster. Thus, the users will have a
> means of verifying that they have the correct key.
> Poorly worded but does this capture our intent?
I think it does. It is ok.
More information about the clo-devel