[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for
|
From: |
Darshit Shah |
|
Subject: |
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG |
|
Date: |
Sun, 13 Mar 2022 15:21:13 +0100 |
|
User-agent: |
Cyrus-JMAP/3.5.0-alpha0-4778-g14fba9972e-fm-20220217.001-g14fba997 |
On Sun, Mar 13, 2022, at 09:10, Simon Josefsson wrote:
> Darshit Shah <darnir@gnu.org> writes:
>
>> + --gpg-keyring-url=URL URL pointing to the GnuPG Keyring containing
>> + the key used to sign the tarballs
> ...
>> If that command fails because you don't have the required public key,
>> then run this command to import it:
>>
>> - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
>> + wget -q -O- '$gpg_keyring_url' | gpg --import -
>
> Hi. I agree this part of announce-gen is sub-optimal. There were
> earlier discussions about solutions:
>
> https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242
>
> My first reaction was that we should use something like that instead,
> and not your patch. However given how unreliable the GnuPG parameters
> (different version compatibility, and some reports about bugs) are wrt
> to key servers, I prefer your approach to mention a URL in the
> announcement instead of suggesting --recv-keys or some variant of
> --locate-external-keys. This also makes it much easier for anyone not
> using GnuPG to locate the OpenPGP key.
>
> Do you have push access to gnulib, or do you want me to polish up the
> patch and push it?
I don't have push access to gnulib, so could you please push it for me?