[lsb-discuss] [Webdevel] Key for signing downloadable printer driver packages
Theodore Tso
tytso at mit.edu
Wed Oct 8 12:26:53 PDT 2008
On Wed, Oct 08, 2008 at 08:18:08PM +0200, Till Kamppeter wrote:
> Only distribution with client software for driver download is Ubuntu
> Intrepid now. Fedora has at least download for single PPDs from
> OpenPrinting.
>
> As distros want to have high security when it comes to automatically
> downloading software from the internet, I think they will accept
> including the keys, especially when they already include the client
> software.
>
> And Ubuntu Intrepid does not only download printer drivers but also
> kernel drivers via Jockey (which AFAIK will also be hosted at the LF).
> So I think we should quickly make available appropriate keys so that
> they can still go into Intrepid (RC freeze in a week or so).
Some distributions have gotten very paranoid because of liability
concerns when the key is controlled by someone outside their company.
So simply generating a key having it signed by the LSB master key is
not hard. The question is whether Ubuntu has any policy about how the
key should be protected in order for them to be comfortable including
it as a trusted key in Interpid. I see you've encloded Martin Pitt,
so perhaps he can comment on that issue.
The plan I've proposed is that LSB 4.0 release key would only be
stored on-line on LF servers (even though it's encrypted) while we are
doing the final build process. Other than that, it would be stored
off-line, and only those people who are directly involved with the
final release process would know the pass-phrase associated with the
key, on a need-to-know basis.
Presumably we'll want to establish similar policy for the OpenPrinting
key. The key is to making sure the policy is rigorous enough that (a)
distributions are comfortable including the key, and (b) we keep the
key safe so it doesn't get compromised, while at the same time not
making it too difficult for you to release new drivers.
- Ted
More information about the lsb-discuss
mailing list