gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]

[Jean-David Beyer]

On 04/05/2013 04:27 PM, Peter Lebbing wrote:
> I have no idea how Red Hat does this, but it seems unlikely to me. It's
> not connected to the internet, but signs the whole repository, and each
> individual security update etcetera. Is there a guy who keeps going back
> and forth with a USB stick between this terminal and another?

I do not know how they do it either. I assumed that each major release,
that for Red Hat occurs only about every 18 months, they do sign each
and every file in the repository. They probably have an automatic way to
do that. And then someone sneakernets it over to the Internet-connected
machines that do the downloads to the customers.

For updates, I assume they do that to each file that has been touched
and carry them over to the Internet-connected servers in a batch, say
once a day. But maybe they resign and carry over everything in the
repository to save the trouble of figuring out which have been touched
and which have not. The whole release fits on one DVD. Recall that for
Red Hat Enterprise Linux, with extremely few exceptions, they do not do
enhancements: those are delayed until the next major release up to 18
months later. They only do bug and security fixes (and that time-zone
file change). So once a day (or whenever the regression testing is
completed successfully) some clerk can do the carry over at some time,
presumably late at night.