Hi, Ludovic Courtès <[email protected]> writes:
> Hello, > > Vagrant Cascadian <[email protected]> skribis: > >> So, there are quite a few different ways in which the keys *could* be >> updated automatically ... although the intersecting set of update >> methods might be a mess. :/ > > What about downloading the keys from <https://codeberg.org/USER.gpg> and > requesting that each committer keeps it up-to-date? > > Now, we should also minimize them (strip them of signatures) before > adding them to the ‘keyring’ branch. Wouldn't frequent updates to the keyring branch be a bit worrisome? Currently the keys only changes very rarely, but if we were to refresh them every year or so, that'd be a lot of potential sensitive commits/key updates to verify, if someone was to keep track of them. I understand that the expiry doesn't change the key itself, so perhaps it'd be obvious in the diff what was done, but still. It seems preferable to me that the 'keyring' branch remains low traffic, etched 'once' (or rarely) kind of thing. -- Thanks, Maxim
