[exim-cvs] Releases signed by Phil's key, not Nigel's.

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Releases signed by Phil's key, not Nigel's.
Gitweb: http://git.exim.org/exim.git/commitdiff/40167b055c6f7c2168941524ca6af08674dfbbb7
Commit:     40167b055c6f7c2168941524ca6af08674dfbbb7
Parent:     6abc190a70df97fc85e53192a62a61981c77fede
Author:     Phil Pennock <pdp@???>
AuthorDate: Wed Oct 3 22:00:13 2012 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Wed Oct 3 22:00:13 2012 -0400


    Releases signed by Phil's key, not Nigel's.


    State a more general policy of PGP signing, mention trust paths, cite
    the main public keyserver pool, provide a link to a trustpath display
    between Nigel's key and Phil's.


    Provide Phil's current PGP keyid (noting will change in 2013).


    Bounce via a redirector, on Phil's security site, because:
     (1) xfpt barfs on &url(..) where the URL contains an ampersand
     (2) No ampersands means less debugging across various platforms
     (3) The redirector is https: with a public cert, where www.exim.org
         does not have a cert (with that name, at this time).


    All keys cited in 0xLong form (16 hex characters).


    Nits:
     (1) URL is given with https:// on one line, the rest on the next
     (2) using alt text does not give the URL in the .txt format, despite
         the docs, because we build .txt from w3m -dump, so the HTML form is
         used.
     (3) Ideally, we'll get around to having https://www.exim.org/ exist and
         be usable for this redirect.


    Side-effects:
     (1) My name is in The Spec for the first time. :)
---
 doc/doc-docbook/spec.xfpt |   21 +++++++++++++++++----
 1 files changed, 17 insertions(+), 4 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index cd39b92..d35c305 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -533,10 +533,23 @@ The &_.bz2_& file is usually a lot smaller than the &_.gz_& file.
.cindex "distribution" "signing details"
.cindex "distribution" "public key"
.cindex "public key for signed distribution"
-The distributions are currently signed with Nigel Metheringham's GPG key. The
-corresponding public key is available from a number of keyservers, and there is
-also a copy in the file &_nigel-pubkey.asc_&. The signatures for the tar bundles are
-in:
+.new
+The distributions will be PGP signed by an individual key of the Release
+Coordinator. This key will have a uid containing an email address in the
+&'exim.org'& domain and will have signatures from other people, including
+other Exim maintainers. We expect that the key will be in the "strong set" of
+PGP keys. There should be a trust path to that key from Nigel Metheringham's
+PGP key, a version of which can be found in the release directory in the file
+&_nigel-pubkey.asc_&. All keys used will be available in public keyserver pools,
+such as &'pool.sks-keyservers.net'&.
+
+At time of last update, releases were being made by Phil Pennock and signed with
+key &'0x403043153903637F'&, although that key is expected to be replaced in 2013.
+A trust path from Nigel's key to Phil's can be observed at
+&url(https://www.security.spodhuis.org/exim-trustpath).
+.wen
+
+The signatures for the tar bundles are in:
.display
&_exim-n.nn.tar.gz.asc_&
&_exim-n.nn.tar.bz2.asc_&