[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] GNU maintainer keys?
|
From: |
Sylvain Beucler |
|
Subject: |
Re: [Savannah-hackers-public] GNU maintainer keys? |
|
Date: |
Fri, 27 Aug 2010 15:59:15 +0200 |
|
User-agent: |
Mutt/1.5.20 (2009-06-14) |
Hi,
On Thu, Aug 26, 2010 at 10:09:14PM +0000, Karl Berry wrote:
> Hi Sylvain and all,
>
> My vague impression is that there is supposed to be some process that
> collects the GPG keys for people authorized to upload to GNU and
> transfer it to savannah somehow. And my even more vague impression is
> that the process stopped working a while ago so the key info on savannah
> is stale.
>
> Is any of that accurate? If we're lucky and we actually have the keys
> on savannah, is there a public (http/finger/whatever) way to access them?
There are 2 sets of upload locations:
- ftp.gnu.org: GPG keys managed by FSF sysadmins / address@hidden
- download.sv.gnu.org: SSH keys managed through the Savannah web
interface (Savane has a cron to check uploaded files and rename them
if they are not/badly signed, but we don't use it at Savannah).
However Savannah also offer users to upload GPG keys, and they are
available/downloadable from the user page.
It's worth noting that, given that GPG's ascii-armored dump is
pretty opaque, some people upload more than their own public key
there (keys that signed the keys, keys that also match the user's
nickname, etc.).
What stopped working at a point is the generation of the project
keyring (the above GPG key for all project members), which I had
fixed (available from the project member list).
> This comes up because Werner Koch (GPG maintainer) and I were hoping to
> write step-by-step instructions for verifying GNU packages, and getting
> the relevant keys is one of the harder steps :(.
Let me know if we can help.
--
Sylvain