search

fsfe / reuse-tool

reuse is a tool for compliance with the REUSE recommendations.
https://reuse.software
405 stars 148 forks source link

Document the key used to sign releases #324

Open zyga opened 3 years ago

zyga commented 3 years ago

The debian pypi redirector [1] detects a gpg key used for signing releases. It would be easier to verify those if the project published a gpg keyring with keys that can sign upstream releases.

[1] https://pypi.debian.net/reuse/

mxmehl commented 3 years ago

Definitely helpful, thanks for the idea.

@carmenbianca Did you so far used your private GPG key for this, or is there a separate one?

mxmehl commented 2 years ago

Answering my own question: yes, we use private keys, namely @carmenbianca's (2A09F62739F6DEC8CFFCA216CD0A90F1C5CA0C92) and mine (A942CD00386B3CB26BA9BB652704E4AB371E2E92)

Any suggestions how to best document this? README?

linozen commented 2 years ago

Would it be OK for the core team if I included all of their public key IDs in the README?

mxmehl commented 2 years ago

For me that would be fine. @floriansnow @nicorikken, for you?

carmenbianca commented 2 years ago

Fine by me

nicorikken commented 2 years ago

I don't see myself singing the release in the near future so I don't think we have to include my key at this moment.