[libvirt PATCH] docs: Mention GPG key used for signing releases

Eric Blake eblake at redhat.com
Mon Oct 19 18:34:51 UTC 2020

On 10/14/20 11:11 AM, Jiri Denemark wrote:
> On Wed, Oct 14, 2020 at 17:28:54 +0200, Erik Skultety wrote:
>> On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
>>> Signed-off-by: Jiri Denemark <jdenemar at redhat.com>
>>> ---
>>> Notes:
>>>      Should we also make the key available for download?
>> Now that you've provided the fingerprint, isn't it enough for the users to
>> fetch it from a keyserver should they wish so?
> Sure, it is enough. I just wanted to make sure I wasn't the only one who
> thought so :-)

The problem is that more and more keyservers are being rendered 
worthless by spam keys exploiting their append-only nature, which makes 
them no longer an ideal way to get a key.  I'd recommend making it 
available for download here in addition to the keyservers.

Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

More information about the libvir-list mailing list