On 22/04/2025 10:58, YAMAZAKI MASAMITSU(山崎 真光) wrote: > Hi, > > We're pleased to announce the release of makedumpfile 1.7.7. > Thank you everyone for your help to maintain the tool. > > Download: > The latest makedumpfile can be downloaded from the following page. > https://github.com/makedumpfile/makedumpfile/releases > Hello,
I'm a package maintainer for Arch Linux of the makedumpfile. Previous releases were signed both the commit and the tag with the GPG key of Kazuhito Hagio. The 1.7.7 release is not signed (neither commit nor the tag) and from a different person (YAMAZAKI MASAMITSU). From a chain of trust that's not great. Ideally we'd like these to be GPG signed and have some kind of chain of trust from previous release to current. To resolve the current situation I suggest, if possible, to add on the root of the project a text file with approved GPG keys who are releasing this project made with a signed commit from Kazuhito Hagio. This will establish a chain of trust between Hagio's GPG key and Masa's key. Or more complicated sign Masa's key with Hagio's. In both cases a new signed tag 1.7.8 will be required as of now 1.7.7 is not OK (in terms of chain of trust) and re-tagging is also bad for downstream systems and for security-wise. You can find more information for Arch's motivation on this and other distro's in our recent RFC [0] [0]: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/46 Cheers, -- Leonidas Spyropoulos Developer & DevOps PGP: 59E43E106B247368
OpenPGP_0x244740D17C7FD0EC.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
