Hi, Arun Isaac <[email protected]> skribis:
> Thanks for reporting this! The new signing key is mine. I joined the > skribilo team recently as a maintainer, and made the latest release. So, > I signed it with my key. But, I see this is probably not the best > idea. It would cause quite a lot of confusion everytime we have new > maintainers on the team. > > @Ludo: How should we best handle release signatures? Should we resign > the latest release with your key? I don’t think so, it’s all fine IMO. (Note that procedures that apply to GNU don’t apply here since it’s a non-GNU project; in particular, the GNU keyring is about GNU release signatures.) That said, we could/should introduce ‘.guix-authorizations’ and all that for safe updates at the Git level. WDYT? Thanks, Ludo’.
