Hi all, We are still using a non-expiring 1024-bit DSA key to sign our releases. If we're spending time on signing the releases in the first place, this seems a bit silly.
I propose we phase out this key; after this batch of releases, we should use it to sign a new key and then discontinue its use. I am not sure whether to suggest revocation, or setting some short expiration date. If we agree to do that, I can do this, and coordinate delivering the new key(s) to maintainers off-list. If I am generating the new key, I'd also sign the key with my personal key, which has some FOSDEM-signing-party signatures on it. Let me know what you think.
