On 6/6/24 6:11 PM, Nikolaos Chatzikonstantinou via c-ares wrote:
Hello, congrats on the update. I don't mean to be annoying but the
introduction of a new key should be in an email signed by the old key.
The download page could clarify also which versions are expected to be
signed by either key and which are only by Daniel, e.g. from >=1.30
both keys are valid. This is probably in the changelog or NEWS file
(if not please add) but I didn't check.
I'm pretty sure the mailing list updates too many aspects of the message
for a signed email to properly pass through and be able to be
validated. Maybe I'm wrong here. If I'm right though, what other way
could we "prove" my key is allowed to be used?
I did briefly discuss with Daniel about him signing my key with his as a
way to indicate some level of trust in my key, since we're across the
ocean from eachother we'd need to do ID verification via a video chat.
We just haven't gotten around to that yet, would that "suffice"?
Regarding documenting whose key was used when, historically we never
even documented the valid signing key, there was no reference at all
other than just having the signatures for each package themselves.
Daniel has used a couple over the years, a DSA 1024bit key, and now an
RSA 2048bit key. Mine is an ed25519 sub key used for signing protected
by an rsa4096 certification key, we'll see if that causes any issues too :)
-Brad
--
c-ares mailing list
c-ares@lists.haxx.se
https://lists.haxx.se/mailman/listinfo/c-ares
