1 |
On Sun, Nov 07, 2004 at 05:04:29PM +0000, Rui Covelo wrote: |
2 |
> Adding to what Peter said, what about having the public and private key |
3 |
> changed periodicaly (developers come and go, keys should come and go |
4 |
> too) and have the portage download automaticaly the public key and |
5 |
> revokation certificates when needed from a single server? Ex: www.gentoo.org |
6 |
|
7 |
Yes, I agree this is the way to do it. Debian, for example, has an annual |
8 |
repository signing key. |
9 |
|
10 |
- Chris |
11 |
|
12 |
|
13 |
-- |
14 |
gentoo-security@g.o mailing list |