[Pkg-electronics-devel] Drawtiming, offer of repair/adoption
Aymeric Agon-Rambosson
aymeric.agon at yandex.com
Tue Feb 28 18:57:50 GMT 2023
Le mardi 28 février 2023 à 03:02, أحمد المحمودي
<aelmahmoudy at users.sourceforge.net> a écrit :
> I don't understand the reason for dropping upstream signing key.
The upstream tarball can be retrieved through HTTPS, which
guarantees the identity of the website it is retrieved from.
Hence, if we trust SF, we can trust the tarball as well.
Then, if we don't trust SF, I'm not sure we can quite trust the
public key either, since it is hosted on SF as well.
The key is a gpg v1 (!) 1024-bit elgamal signing subkey of a
1024-bit dsa key. I vaguely remember lintian complaining about
that (rightly so).
So I decided that it wasn't worth the effort to keep, and I
dropped it.
Feel free to put it back, however.
Best,
Aymeric
More information about the Pkg-electronics-devel
mailing list