Re: PGP signing releases

On Sun, 2003-02-02 at 18:39, Neil Conway wrote:
> Folks,
> 
> I think we should PGP sign all the "official" packages that are provided
> for download from the various mirror sites. IMHO, this is important
> because:
> 
> - ensuring that end users can trust PostgreSQL is an important part to
> getting the product used in mission-critical applications, as I'm sure
> you all know. Part of that is producing good software; another part is
> ensuring that users can trust that the software we put out hasn't been
> tampered with.
> 
> - people embedding trojan horses in open source software is not unheard
> of. In fact, it's probably becoming more common: OpenSSH, sendmail,
> libpcap/tcpdump and bitchx have all been the victim of trojan horse
> attacks fairly recently.
> 
> - PGP signing binaries is relatively easy, and doesn't need to be done
> frequently.
> 
> Comments?
> 
> I'd volunteer to do the work myself, except that it's pretty closely
> intertwined with the release process itself...
> 
> Cheers,
> 
> Neil


Actually, if you just had everyone sign the "official" key and submit it
back to the party that's signing, that would probably be good enough. 
Basically, as long as people can verify the package has been signed and
can reasonably verify that the signing key is safe and/or can be
verified, confidence should be high in the signed package.

I certainly have no problem with people signing my key nor with signing
others as long as we can verify/authenticate each others keys prior.


Regards,


-- 
Greg Copeland <greg@copelandconsulting.net>
Copeland Computer Consulting