On 5/11/20 8:20 PM, Aisha Tammy wrote: > Hi devs@, > Seems like for some reason the gentoo.org does not publish the > gpg public keys of the senders, even though it is signed correctly. >
Sorry, I meant **mail signing**, not commit signing. Just saw that wording was confusing. > Just wanted to know why the devs are required to use gpg keys, glep63 [1] > but even when the server has the public keys, they aren't published properly. > > From a proper security perspective, I would have though something > like WKD[2] would have been implemented on the server side for automated > authentication. > > Maybe I am missing something about how to verify the keys of the maintainers > who are sending announcements but it irks me a teensy bit when i have signed > mails and I can't ~~trust~~ verify the signatures. > > This is tots an aside from normal gentoo stuff. > > Hope ya'll are safe, > Aisha > > > > [1] > https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys > [2] https://wiki.gnupg.org/WKD >
