On 7/27/21 11:38 AM, Simon Josefsson via Gnulib discussion list wrote: > Let's discuss and see what we can do. Isn't this what the "release GPG keys" on Savannah are for?
Each project maintainer can set them up correctly under "Edit public info": "https://savannah.gnu.org/project/admin/editgroupinfo.php?group=${PROJECT}"; The result can be downloaded by users for verification: "https://savannah.gnu.org/project/release-gpgkeys.php?group=${PROJECT}&download=1"; e.g. coreutils': "https://savannah.gnu.org/project/release-gpgkeys.php?group=coreutils&download=1"; Downstream sometimes use them, e.g. SUSE and openSUSE are verifying the keys on their Open Build Service. Have a nice day, Berny
