Erik Enge writes:
Once the package has been signed, the user can then download the package pluss the author's public key and verify that the public key at hand signed the package he or she just downloaded.
The weak link is of course that the user doesn't know if the public key is the author's or not. Here's where our signing policy comes into play. When developers apply for a project at common-lisp.net they receive their passwords encrypted (by mail) and if they successfully decrypt and answer the email, their public key will be signed by the common-lisp.net keymaster. Thus, the users will have a means of verifying that they have the correct key.
Sounds great, how will we handle signing of those of us that are already members ?