gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]

Peter Lebbing peter at
Fri Apr 5 22:27:31 CEST 2013

On 05/04/13 20:16, Jean-David Beyer wrote:
> Probably the software Red Hat supplies is kept on a machine that is not
> on the Internet and it is all signed on that machine. At which point,
> the signed software is placed on an Internet-connected machine for
> downloading (seems like a good idea to me).

I have no idea how Red Hat does this, but it seems unlikely to me. It's
not connected to the internet, but signs the whole repository, and each
individual security update etcetera. Is there a guy who keeps going back
and forth with a USB stick between this terminal and another?

AFAIK, in Debian, individual maintainers sign the packages they maintain
from their own systems. Some might choose to do a complicated dance with
a USB stick, but I expect many to sign on a net-connected machine. And
then an automatic signature follows from the repository key when the
maintainer's signature matches.

Last time I said AFAIK on this list I was wrong, though.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at

More information about the Gnupg-users mailing list