No chain of trust between 2.0.4 and 2.1.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lazr.delegates |
Fix Released
|
Low
|
Colin Watson |
Bug Description
Hi! I package this project for Arch Linux.
To mitigate supply chain attacks (https:/
While 2.0.4 has been signed by AC0A4FF12611B6F
The latter userid (http://
Please ensure, that the chain of trust remains intact between releases, else signing the sources is rather meaningless (as anyone can claim a to be a certain userid on an arbitrary key).
To do so, please have the previous key sign the current userid on the new key, so that external parties can verify its validity.
In the current state this prevents me from upgrading to 2.1.0 until this is cleared up.
Changed in lazr.delegates: | |
status: | New → Triaged |
importance: | Undecided → Low |
assignee: | nobody → Colin Watson (cjwatson) |
Processed as requested.