gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]

Ryan Sawhill ryan at
Sat Apr 6 19:10:30 CEST 2013

I wouldn't have to work at Red Hat to find your imagining of all this
hilarious. No offense meant.

What makes the most sense: that all packages are built on a handful of
central build servers (individual maintainers building packages?
seriously?) on a private network and that as part of that automated build
process, the packages are signed. And then of course yes, some sort of
manual process to push packages out to publicly-accessible servers for

Also, for the record, you're wrong about "with extremely few exceptions,
they do not do enhancements: those are delayed until the next major release
up to 18 months later". Most packages will stay at the same upstream
version for the life of a RHEL major release, but feature-enhancements
still happen all the time with minor releases (every 6 months) and
sometimes even sooner. (Also, new major releases don't happen every 18

On Fri, Apr 5, 2013 at 4:42 PM, Jean-David Beyer <jeandavid8 at>wrote:

> On 04/05/2013 04:27 PM, Peter Lebbing wrote:
> > I have no idea how Red Hat does this, but it seems unlikely to me. It's
> > not connected to the internet, but signs the whole repository, and each
> > individual security update etcetera. Is there a guy who keeps going back
> > and forth with a USB stick between this terminal and another?
> I do not know how they do it either. I assumed that each major release,
> that for Red Hat occurs only about every 18 months, they do sign each
> and every file in the repository. They probably have an automatic way to
> do that. And then someone sneakernets it over to the Internet-connected
> machines that do the downloads to the customers.
> For updates, I assume they do that to each file that has been touched
> and carry them over to the Internet-connected servers in a batch, say
> once a day. But maybe they resign and carry over everything in the
> repository to save the trouble of figuring out which have been touched
> and which have not. The whole release fits on one DVD. Recall that for
> Red Hat Enterprise Linux, with extremely few exceptions, they do not do
> enhancements: those are delayed until the next major release up to 18
> months later. They only do bug and security fixes (and that time-zone
> file change). So once a day (or whenever the regression testing is
> completed successfully) some clerk can do the carry over at some time,
> presumably late at night.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130406/8efc1e38/attachment.html>

More information about the Gnupg-users mailing list