My +1.
I do agree that a 4096 keys is better for releases, although the current requirement is "Committers with a DSA key or an RSA key of length *less than* 2048 bits should generate a new key for signing releases" . Kiran's ky is 2048 bits long, whihc is strictly speaking, the bare minimum to cut a release. I suspect this will not hold for ever, it's probably a good move to generate this 4096 bits long key before the next release. Packages and tag checked, signature checked. Note that the sign.sh script is not part of the release, and it's hust a tool that is provided to release managers, for convenience. Also note that the XXX.asc files get signed too, which is unnecessary : tis is a by-product of the release+sign.sh script. I usually remove them before pushing the package son people.a.o... Thanks Kiran !
