Drizzle

official signing key for source tarball

Bug #1266204 reported by coldtobi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Drizzle
In Progress
Medium
Unassigned

Bug Description

First, thanks for providing also a signature file for your source.

However, I'm currently experiencing troubles to find out which gpg key is allowed for signing the tarball.

While the one currently used (signed by Vijay Samuel) is probably OK, I cannot find the documentation/information to backup this.

The only reference to a signing key for drizzle is to this one, 06899068 in the
PPA for Drizzle-developers (https://launchpad.net/~drizzle-developers/+archive/ppa).

Thanks for clarifying

--
coldtobi

Revision history for this message
Patrick Crews (patrick-crews) wrote :

marking in-progress for reporter response

Changed in drizzle:
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Patrick Crews (patrick-crews) wrote :

:/ My previous comment was somehow lost. Apologies.
To repeat:
We have a number of developers that work on releases, Vijay being one of them.
I do apologize for any confusion related to the veracity of our tarballs, but iirc, launchpad will not allow someone to create a tarball release unless they have appropriate permissions within the project, which should provide some comfort.

This might be a good feature request for launchpad - to provide a list of those gpg-keys / users that are approved releasers, but at the moment, I believe all we have is this:
https://launchpad.net/+help-registry/verify-downloads.html

I hope this helps. Leaving the bug as 'in progress'.

Revision history for this message
coldtobi (tobi-coldtobi) wrote :

As said already, it is great that drizzle gpg-signs their source tar balls :)
So the only thing probably missing is a key-ring which contains all keys allowed for signing the source...

Just an idea:
Maybe each key in the keyring should be then signed by a master-drizzle-developer key to build some Web of thrust?

Revision history for this message
coldtobi (tobi-coldtobi) wrote :

pressed post too fast ...

This keyring could then be published by the project.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.