From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joanna Rutkowska Subject: Re: request to sign software Date: Tue, 30 Mar 2010 11:46:49 +0200 Message-ID: <4BB1C889.3080204@invisiblethingslab.com> References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0944011036==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Keir Fraser Cc: Jeremy Fitzhardinge , "xen-devel@lists.xensource.com" , Ian Jackson , Stephen Spector List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0944011036== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig65BA5F098FD7DFC6A7094DE4" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig65BA5F098FD7DFC6A7094DE4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 03/30/2010 09:00 AM, Keir Fraser wrote: > On 29/03/2010 22:09, "Joanna Rutkowska" = > wrote: >=20 >> ...and then publish it on xen.org and sent to xen-devel. The list is >> mirrored in a few places, so it would not be trivial for the attacker = to >> subvert the public key in all the public archives. Users can always us= e >> more than one different internet connections to verify the key, to get= >> around potential compromise at an ISP level. >> >> This could be your "master key" and then you could simply sign other >> keys (e.g. Jermey's, Keir's, etc) with this master key (simple gpg -s,= >> no certs, no web of trust, needed). >=20 > I chatted with Ian Jackson about this, and our thought was to generate = a > xen.org master key which we would keep safe in Cambridge: only he and I= > would have copies of it (the two of us, for redundancy). We can also > generate a software-signing key, signed by the master key, which we act= ually > use for the business of signing releases from the xen-*.hg and > qemu-xen-*.git repositories. >=20 > We weren't sure it makes sense for Jeremy to sign anything since he's n= ot > actually making releases out of his repository. If we decide that Jerem= y > should sign things I think it best he makes his own key and we sign it = with > the master key. >=20 Right. But I think it would make lots of sense for Jeremy to tag, at least some of the pvops branches (stable-2.6.{31.32}.x), anyway. Otherwise this every-changing repo might scare away lots of people. Perhaps Jeremy could apply some tag (and sign it) every week, or after some more major merges, etc. Would be nice e.g. to have some particular commit from the pvops marked as the official release for the upcoming Xen 4.0.0, wouldn't it? joanna. --------------enig65BA5F098FD7DFC6A7094DE4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuxyIoACgkQORdkotfEW85ywwCgnek3aVnDzENFK5NejO56o3mT LGYAnREtXp4wIYAw7qCNNc1vj5tGkSeW =SB5N -----END PGP SIGNATURE----- --------------enig65BA5F098FD7DFC6A7094DE4-- --===============0944011036== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --===============0944011036==--