On Fri, 25 Aug 2017 16:48:13 +0200 Anselm R Garbe <garb...@gmail.com> wrote:
> Hi Mattias, > > On 25 August 2017 at 16:32, Mattias Andrée <maand...@kth.se> wrote: > > On Fri, 25 Aug 2017 13:54:41 +0200 > > Anselm R Garbe <garb...@gmail.com> wrote: > > > >> On 25 August 2017 at 12:56, Laslo Hunhold <d...@frign.de> wrote: > >> > On Fri, 25 Aug 2017 08:12:12 +0200 > >> > Anselm R Garbe <garb...@gmail.com> wrote: > >> >> - (optional) repo owners/maintainers should sign their future git tags > >> >> for release creation by using their own private PGP key. > >> > > >> > the public PGP-keys could be put on the > >> > http://suckless.org/people/*-pages. > >> > >> Either that, or perhaps we can reinstate the old fashion of > >> suckless.org/~user/ homedir. > > > > Wouldn't it be best to have all keys in one page? > > Sure it would, probably best is dl.suckless.org as well. > > My only concern with the wiki page is, that everybody could presumably > tamper the pubkeys there, since we accept upstream wiki changes. Of > course they need to be reviewed, but how do I know that Laslo's pubkey > is really Laslo's pubkey without hassle when reviewing some public > wiki change? > > Hence my suggestion to put them into a URL position that requires ssh > access for pushing onto suckless.org, which is given for > maintainers/repo owners. > > BR, > Anselm Each user could have a directory called pgp-keys and dl.suckless.org could list those directories. This would allow us to store old keys in a structured manner. An alternative is that the owner of a repo commits his key to the repo under /.pgp-keys.
pgpwCiVeIBYSN.pgp
Description: OpenPGP digital signature