Please PGP-sign releases

Eli Schwartz eschwartz at archlinux.org
Tue Jun 5 16:53:19 UTC 2018


On 06/05/2018 12:05 PM, Denys Vlasenko wrote:
>> As a separate issue, the current signing key is dsa1024 which is
>> extremely old and not considered to be secure. It would be in general a
>> good idea to create a new rsa4096 key and use that going forward.
> 
> Can you expand on this? I'm no distro maintainer and have absolutely
> zero idea what would be the most comfortable for you guys.

There's a plethora of advice out there for generating signing keys, but
here's one decent link:
https://help.github.com/articles/generating-a-new-gpg-key/#generating-a-gpg-key


Basically, just make sure you generate a new key, using the current
default "RSA and RSA", and bump the key size upward from 2048 to 4096
(because cryptography is only getting better both in security and in
breaking it, so there's no reason to use anything but the strongest
version).

-- 
Eli Schwartz
Bug Wrangler and Trusted User


More information about the busybox mailing list