Hi,
I was wondering how Tails is taking care of it's signing keys. I have
read some documentation [1][2] and really appreciate the policy, setup
(ie: no subkeys), how well it's integrated in the wot and the
documentation. Question, for other projects, as best practices: how are
you dealing with the secret material? Are all the developers sharing it,
are you using something like ssss? Have you thought about other options
or tools to help manage this? According to [2] you're not using ssss
(directly)?
I'm asking because:
a. no re-invention of wheels and hot water
b. good (release) practices are essential in any software piece
Disclosure: a project I'm involved with [3] prefers not to share key
material with all developers and putting it on a server with a web
application and a java monster aren't really appealing options either.
Therefore, we're exploring options and picking minds.
Last note: I obviously do *not* want to know whom or how many people
have access to those resources, generic statements that can be reused
make most sense.
Ciao,
kwadronaut
[1]
https://tails.boum.org/doc/about/openpgp_keys/#index2h1
[2]
https://tails.boum.org/contribute/release_process/#index9h1
[3]
https://leap.se