[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signing key for 0.10.0
From: |
Ludovic Courtès |
Subject: |
Re: Signing key for 0.10.0 |
Date: |
Mon, 10 Jul 2023 23:24:48 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi,
Arun Isaac <arunisaac@systemreboot.net> skribis:
> Thanks for reporting this! The new signing key is mine. I joined the
> skribilo team recently as a maintainer, and made the latest release. So,
> I signed it with my key. But, I see this is probably not the best
> idea. It would cause quite a lot of confusion everytime we have new
> maintainers on the team.
>
> @Ludo: How should we best handle release signatures? Should we resign
> the latest release with your key?
I don’t think so, it’s all fine IMO. (Note that procedures that apply
to GNU don’t apply here since it’s a non-GNU project; in particular, the
GNU keyring is about GNU release signatures.)
That said, we could/should introduce ‘.guix-authorizations’ and all
that for safe updates at the Git level.
WDYT?
Thanks,
Ludo’.