While I'm absolutely in favour of the overall intent here, I'm not so sure of the design.
I'm worried about the proliferation of tiny packages just to convey the keys; and how versioning should work if upstream rotates their keys. I picked this message in the thread to respond to, because it was clearest that this could break when the keys are rotated. The old releases might not be verifiable with the new keys. Additionally: - not all upstream providers ship .asc files of their keys - some upstreams use signed DIGESTS files rather than directly signing the distfiles (esp. where distfiles are larger) Can we instead: Inside the ebuild and/or metadata.xml: convey: 1. URL(s) to fetch keys, incl a keyserver support 2. Full key fingerprint -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
signature.asc
Description: PGP signature