Erik Enge eenge@prium.net writes:
Nikodemus Siivola nikodemus@random-state.net writes:
Need To Know Basis, of course. As long as you're willing to shoulder the signing, no-one else needs to know. If you think you need help, then someone else as well.
I don't think I need help but if I get hit by the bus you're out of luck. I think perhaps telling a couple of you will be appropriate.
Some redundancy would certainly be good. In case something bad happens we would have to hack your box to run the site, btw.
We want users and developers who download software from this site to have a way of verifying that what they just downloaded is indeed what the author uploaded and that the author who uploaded the software indeed is the author they think he is. This will help in preventing trojaned software to spread.
For the user to verify a software package (usually a tarball or a zip file), the author will need to sign said package use his <a href="http://www.gnupg.org/">GPG</a> (or <a href="http://www.pgp.com/%3EPGP</a> or similar technology) private key. (For details on how to do this, check out the GnuPG site, for example, which has several howto's and other useful documents.)
Once the package has been signed, the user can then download the package pluss the author's public key and verify that the public key at hand signed the package he or she just downloaded.
The weak link is of course that the user doesn't know if the public key is the author's or not. Here's where our signing policy comes into play. When developers apply for a project at common-lisp.net they receive their passwords encrypted (by mail) and if they successfully decrypt and answer the email, their public key will be signed by the common-lisp.net keymaster. Thus, the users will have a means of verifying that they have the correct key.
Poorly worded but does this capture our intent?
I think it does. It is ok.
Regards, Mario