Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG

[Simon Josefsson]

Darshit Shah <darnir@gnu.org> writes:

> +   --gpg-keyring-url=URL        URL pointing to the GnuPG Keyring containing
> +                                the key used to sign the tarballs
...
>  If that command fails because you don't have the required public key,
>  then run this command to import it:
>  
> -  gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
> +  wget -q -O- '$gpg_keyring_url' | gpg --import -

Hi.  I agree this part of announce-gen is sub-optimal.   There were
earlier discussions about solutions:

https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242

My first reaction was that we should use something like that instead,
and not your patch.  However given how unreliable the GnuPG parameters
(different version compatibility, and some reports about bugs) are wrt
to key servers, I prefer your approach to mention a URL in the
announcement instead of suggesting --recv-keys or some variant of
--locate-external-keys.  This also makes it much easier for anyone not
using GnuPG to locate the OpenPGP key.

Do you have push access to gnulib, or do you want me to polish up the
patch and push it?

/Simon

signature.asc
Description: PGP signature