Posts List

GPG Key Transition

As an Ubuntu Core Dev, my GPG key effectively has root privileges on millions of physical machines and a very substantial number [1] of public cloud instances. Although there are safeguards in place - I'm notified by email of any uploads signed by my key, and all uploads to stable releases get a layer of manual review - I'm still aware that my key is a valuable target. I also need access to my key to get any uploads done, which means I need to have access to my key wherever I'm working.