Hi Maxim,
Maxim Cournoyer <[email protected]> writes: > Hi, > > Ludovic Courtès <[email protected]> writes: > >> Hello, >> >> Vagrant Cascadian <[email protected]> skribis: >> >>> So, there are quite a few different ways in which the keys *could* be >>> updated automatically ... although the intersecting set of update >>> methods might be a mess. :/ >> >> What about downloading the keys from <https://codeberg.org/USER.gpg> and >> requesting that each committer keeps it up-to-date? >> >> Now, we should also minimize them (strip them of signatures) before >> adding them to the ‘keyring’ branch. > > Wouldn't frequent updates to the keyring branch be a bit worrisome? > Currently the keys only changes very rarely, but if we were to refresh > them every year or so, that'd be a lot of potential sensitive > commits/key updates to verify, if someone was to keep track of them. Could you clarify what's there to verify in the keyring branch? The .guix-authorizations is the place that says the fingerprints of the keys. As long as the fingerprint stays the same, all is fine, no? And I think that's already checked when guix does auth. (if it isn't, I think it should be) To me it seems only when .guix-authorizations changes there is something to actually verify. (when yes you should also check the keyring branch, but just for that particular key) But maybe I am overseeing something. Rutherther
