Hi Chris, On Mon, Apr 28, 2025 at 10:24:05AM +0200, Chris Hofstaedtler wrote: > I'm not saying the dumat breakage is a 100% reason to not drop the > buster keys, but it's a datapoint for further consideration.
dumat is doing it wrong. It requires all signatures to be valid, while it should be checking for one valid signature. Dropping old keys is important as otherwise you could produce a release file with a single signature from that old key and it would be considered ok. Helmut
