Managing Code Signing Digital IDs for Open Source?

[Saqib Ali <docbook.xml () gmail com>]

What are the best practices for managing Code Signing Digital IDs +
Private Keys for
Open Source projects, where the developers are dispersed throughout
the globe? For our project there is NO central office, where we can
secure the private key for the Code Signing Digital ID. Who should
have the possession of the private key? Multiple people, or just the
project manager?

What Key Escrow (recovery) techniques can be used, in case the private
key holder is not available? I am fimiliar with shared secret concept. What I
am looking for is specific examples of technological solutions that we
can buy, to provide key escrow. Key escrow services provided by
Verisign are too expensive for us.

Who should be allowed to digitally sign the build? Currently one
person handles the signing responsibility, but I think that is surely
a single point of failure. Any thoughts/ideas?

Thanks,
-- 
In Peace,
Saqib Ali
http://validate.sf.net