As said already, it is great that drizzle gpg-signs their source tar balls :)
So the only thing probably missing is a key-ring which contains all keys allowed for signing the source...
Just an idea:
Maybe each key in the keyring should be then signed by a master-drizzle-developer key to build some Web of thrust?
As said already, it is great that drizzle gpg-signs their source tar balls :)
So the only thing probably missing is a key-ring which contains all keys allowed for signing the source...
Just an idea: drizzle- developer key to build some Web of thrust?
Maybe each key in the keyring should be then signed by a master-