[$] Strategies for offline PGP key storage

While the adoption of OpenPGP by the general population is marginal atbest, it is a critical component for the security community andparticularly for Linux distributions. For example, every packageuploaded into Debian is verified by the central repository using themaintainer's OpenPGP keys and therepository itself is, in turn, signed using a separate key. If upstream packages also use such signatures, thiscreates a complete trust path from the original upstream developer tousers.Beyond that, pull requests for the Linux kernel are verified using signatures as well.Therefore, the stakes are high: a compromise of the release key, oreven of a single maintainer's key, could enable devastatingattacks against many machines.