[csw-maintainers] [policy] GPG Signing Key handling

Philip Brown phil at bolthole.com
Wed Feb 9 05:24:20 CET 2011


On Tuesday, February 8, 2011, Ben Walton <bwalton at opencsw.org> wrote:

> Please review the language below and present any clarifications you'd
> like for public discussion.  The vote will be initiated once
> discussion seems to be abating.

I find it very odd that this voting issue be raised, without any
mention of why it was even brought up.
(I'm not even sure why myself)

clarifications, for those who may not be aware of this:

it should be noted that two separate people/roles currently hold the
key already;
the release manager, and the backup release manager.
So it is already redundantly held.


you also do not make any statement of justification why -any- board
member position should hold a copy of the key, in addition to these
positions.

A question then should also be raised of whether "the board" is
expected to hold a copy of *all* digital assets at all times.
For example, the root password, and database master passwords, for
every machine and service associated with opencsw. Currently, "the
board" does not hold such things in a formal sense, and as far as I
have heard, has no plans to do so as "a policy".

I have pointed this out to the board, and asked for an explanation of
why they think the signing key should be treated any differently than
these other secure assets.
I have received no reply to that.

For my own personal opinion, I think that IF the membership deems it
appropriate that a board member always have a copy of the key, then
the treasurer seems like the appropriate position.
However, if delegation of responsability and security is enough for
those other things, it seems it should be good enough for the keys as
well.


More information about the maintainers mailing list