On Tue 2016-04-12 11:12:44 -0400, Paul Wise wrote: > On Tue, 2016-04-12 at 10:26 -0400, Daniel Kahn Gillmor wrote: > >> I'm not sure that we need the [<fingerprint>] in that specification. > > This allows for multiple signers: an upstream release team to have > multiple signers attesting that the build of the source tarball from > git is bitwise reproducible, or an upstream signature plus the Debian > maintainer attesting that they downloaded a particular package.
.asc files can already contain multiple signatures -- i guess i have no problem with splitting them out if we want, as long as the tooling for doing so is easy for people to use. > BTW, check-all-the-things uses `hokey lint` to encourage package > maintainers to talk to their upstreams about OpenPGP: > > > https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/openpgp > > I should probably include a link to the best practices. > > https://help.riseup.net/en/security/message-security/openpgp/best-practices Great, this is exactly the sort of ecosystem-shaping work we should be encouraging. --dkg
