From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-33456-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 15639 invoked by alias); 13 Oct 2014 08:20:02 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 33456
Received: (qmail 1210 invoked from network); 13 Oct 2014 08:19:59 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.2
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201408;
	h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=Zg7YeJdmmtpDeDm4QdpO0bkkRqPPHPHzcjRNlG7bkJU=;
	b=XvoMY2X4xVi+RUylhJq/QQv6sjpCimLXpCZZzEbIFPbMn/8on/HXYD59XbTfWrbm17bPJ9U2swZZfMqMa9Xra1xxbbdNZAdIbOdlEQwn+x6s73RHQBMEWMVHo7zvWSLZ5WtTtzg2YuQIaCMfkYURj+CN35iSki02MufG1/oDwIIkWTnOFmkitC2LdCk4P4ZES6m7mf9RNsBgusdi;
Date: Mon, 13 Oct 2014 08:19:56 +0000
From: Phil Pennock <zsh-workers+phil.pennock@spodhuis.org>
To: Peter Stephenson <p.w.stephenson@ntlworld.com>
Cc: zsh-workers@zsh.org
Subject: Re: reproducing release tarball for 5.0.7
Message-ID: <20141013081956.GA62419@tower.spodhuis.org>
Mail-Followup-To: Peter Stephenson <p.w.stephenson@ntlworld.com>,
	zsh-workers@zsh.org
References: <20141009201629.GA10638@tower.spodhuis.org>
 <20141011001908.GA18706@ruderich.org>
 <20141012180013.0d8f1b2e@pws-pc.ntlworld.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20141012180013.0d8f1b2e@pws-pc.ntlworld.com>
OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/0x4D1E900E14C1CC04.asc

On 2014-10-12 at 18:00 +0100, Peter Stephenson wrote:
[ PGP keys for zsh ]
>
> Could do, guess we need a new key for this.

Not really: role keys only make sense if there's a bunch of process and
control around their access and some people who can validate the key who
sign it to provide trust paths to the outside world.  For open source
projects, IMO it makes more sense to just have individual maintainers
use their own keys.

I wrote this, as part of Exim's release process documentation:
  https://github.com/Exim/exim/wiki/EximReleasePolicy#release-verification
and think it's a reasonable baseline for zsh too.  Probably drop the
$project.org UID bit, since @zsh.org email addresses aren't really used
by individuals.

-Phil