official signing key for source tarball

Bug #1266204 reported by coldtobi on 2014-01-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Drizzle
Medium
Unassigned

Bug Description

First, thanks for providing also a signature file for your source.

However, I'm currently experiencing troubles to find out which gpg key is allowed for signing the tarball.

While the one currently used (signed by Vijay Samuel) is probably OK, I cannot find the documentation/information to backup this.

The only reference to a signing key for drizzle is to this one, 06899068 in the
PPA for Drizzle-developers (https://launchpad.net/~drizzle-developers/+archive/ppa).

Thanks for clarifying

--
coldtobi

Patrick Crews (patrick-crews) wrote :

marking in-progress for reporter response

Changed in drizzle:
importance: Undecided → Medium
status: New → In Progress
Patrick Crews (patrick-crews) wrote :

:/ My previous comment was somehow lost. Apologies.
To repeat:
We have a number of developers that work on releases, Vijay being one of them.
I do apologize for any confusion related to the veracity of our tarballs, but iirc, launchpad will not allow someone to create a tarball release unless they have appropriate permissions within the project, which should provide some comfort.

This might be a good feature request for launchpad - to provide a list of those gpg-keys / users that are approved releasers, but at the moment, I believe all we have is this:
https://launchpad.net/+help-registry/verify-downloads.html

I hope this helps. Leaving the bug as 'in progress'.

coldtobi (tobi-coldtobi) wrote :

As said already, it is great that drizzle gpg-signs their source tar balls :)
So the only thing probably missing is a key-ring which contains all keys allowed for signing the source...

Just an idea:
Maybe each key in the keyring should be then signed by a master-drizzle-developer key to build some Web of thrust?

coldtobi (tobi-coldtobi) wrote :

pressed post too fast ...

This keyring could then be published by the project.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers