Bruno Haible via Gnulib discussion list <bug-gnulib@gnu.org> writes: > Hi Simon, > >> However >> isn't the canonical set of PGP keys for a project distributed from >> Savannah though? If I'm signing the git bundle, it would be nice if the >> gnulib PGP keys on Savannah included my key. > > The OpenPGP keys for all GNU packages are distributed through the GNU keyring > <https://ftp.gnu.org/gnu/gnu-keyring.gpg>, and it is publicized through the > info-gnu announcements [1]. Therefore what is the additional benefit of > having these per-package keyrings on savannah? (I wasn't even aware of > this info, but yes I see that some of your packages [2][3] have it.) It's > extra work to keep this per-package keyring up-to-date.
Yes, I've been annoyed by having to do these updates too. I use relatively short PGP key expiration times and have to update it once a year or so, for all projects. One advantage that I can think of is that it automatically supports non-GNU projects hosted on Savannah, which I think is useful. The Savannah PGP URLs are ugly in the release announcements though. However, for PGP key distribution, it is unwise to rely on only one single source since it will become the target of attacks, so we do want to mention multiple ways to get keys. Reducing the alternatives should be done with a lot of care. The Savannah PGP URLs are used today by many projects, and gnulib announce-gen and maint.mk has had code for it for many years. So I think the overall balance is to keep the status quo here. It looks simple to avoid the Savannah PGP URLs: just add 'gpg_keyring_url = https://josefsson.org/key-20190320.txt' to your cfg.mk to provide some other URL for a project key. All of the above doesn't mean we have to use this mechanism for the gnulib git bundle though! So let's not add my key to the Savannah gnulib project, it may only cause someone to rely on that mechanism which it seems we don't want. /Simon > Bruno > > [1] https://lists.gnu.org/archive/html/info-gnu/2025-02/msg00007.html > [2] https://savannah.gnu.org/projects/libtasn1 > [3] https://savannah.nongnu.org/projects/oath-toolkit/ > > > > >
signature.asc
Description: PGP signature
