And when should it get updated?

Currently our KEYS file: that contains the public keys of those that can signed 
released binary artifacts; only contains a few of the PMC. My understanding is 
that we've avoid updating it because it causes headache for operators in having 
to validate the authenticity of a new key that's signed a binary when 

If this is accurate, how prevalent is this problem actually on operators? Do 
some operators download the KEYS fresh from every release? Are the 
keys of our PMCs already in the existing web of trust?

I'm not knowledgeable on the precedence here for operators, and curious to 
what's the community's stance (and why)… And whether it is the time right to 
add all/more our PMC to the file? And whether we should always add new PMC to 
the file (if they're already in the web of trust?)? 


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to