On Tue, 2016-04-12 at 10:26 -0400, Daniel Kahn Gillmor wrote: > I'm not sure that we need the in that specification.
This allows for multiple signers: an upstream release team to have multiple signers attesting that the build of the source tarball from git is bitwise reproducible, or an upstream signature plus the Debian maintainer attesting that they downloaded a particular package. > * If problems are found with certain kinds of keys for software > signing, there is an easy way to do a rapid scan of the archive to > detect which keys might be vulnerable and encourage upstreams to fix > their practices BTW, check-all-the-things uses `hokey lint` to encourage package maintainers to talk to their upstreams about OpenPGP: https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/openpgp I should probably include a link to the best practices. https://help.riseup.net/en/security/message-security/openpgp/best-practices -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
