Hello, [re-posted from savannah-hackers-public]
Currently, Savannah serves all GPG keys registered in accounts of group's members as the keyring of the respective group, like [0]. This keyring doesn't work very well as a source of signing keys of group's releases, because the group may have many more members than persons who actually sign releases: any member can carelessly register new keys without thinking about the impact on the security of released files, and team's admins have to but monitor the aggregated keyring---I don't believe anyone actually does (also, people may have one key for getting encrypted personal emails and another key for signing tarballs). In particular, the set of keys registered by members of 'emacs' has quite a few very old keys, and one of them is dsa768; as far as I understand, such keys aren't considered adequate these days. if the bad ones crack such a key and replace files on a mirror (I think it would be easier to setup a mirror and register it on Savannah than to crack the key), they'll be able to get round the signature verification for those who are unfortunate enough to pick that mirror. Probably, it would be better if each group had a public area where its admins (rather than every member) could post only keys used for releases, like GnuPG does [1]. I've pushed a patch for it to the group-keyring branch [2]. What do people think? [0] https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=emacs [1] https://www.gnupg.org/signature_key.html [2] https://git.savannah.gnu.org/cgit/administration/savane.git/log/?h=group-keyring
signature.asc
Description: PGP signature