[libvirt PATCH] docs: Mention GPG key used for signing releases
Eric Blake
eblake at redhat.com
Mon Oct 19 18:34:51 UTC 2020
On 10/14/20 11:11 AM, Jiri Denemark wrote:
> On Wed, Oct 14, 2020 at 17:28:54 +0200, Erik Skultety wrote:
>> On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
>>> Signed-off-by: Jiri Denemark <jdenemar at redhat.com>
>>> ---
>>>
>>> Notes:
>>> Should we also make the key available for download?
>>
>> Now that you've provided the fingerprint, isn't it enough for the users to
>> fetch it from a keyserver should they wish so?
>
> Sure, it is enough. I just wanted to make sure I wasn't the only one who
> thought so :-)
The problem is that more and more keyservers are being rendered
worthless by spam keys exploiting their append-only nature, which makes
them no longer an ideal way to get a key. I'd recommend making it
available for download here in addition to the keyservers.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
More information about the libvir-list
mailing list