Hey.
1) Just for the records: https://github.com/xsuchy/distribution-gpg-keys/issues/76 was closed/rejected... I proposed some alternative names there (completely avoiding GPG|[Open]PGP terms).... but it feels as if the upstream author wants to stick with the name?! So from that PoV, there's IMO no need to wait with this packaging effort. 2) What would be nice to see in the final package (in terms of security), was a test suite (when builing the package) that compares the contained keys with those of the respective upstream locations (or in case of Debian, with those in debian-archive-keyring). Not that I want to say that upstream is untrustworthy, but everyone can be hacked, and such a test suite might help to notice if there are differences. 3) Hope to see this in Debian (and derivates) soon, as it might help that mkosi upstream changes the default behaviour to never fall back to only HTTPS-secured downloading of packages: https://github.com/systemd/mkosi/issues/757 Cheers, Chris.