[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for
From: |
Simon Josefsson |
Subject: |
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG |
Date: |
Sun, 13 Mar 2022 09:10:54 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Darshit Shah <darnir@gnu.org> writes:
> + --gpg-keyring-url=URL URL pointing to the GnuPG Keyring containing
> + the key used to sign the tarballs
...
> If that command fails because you don't have the required public key,
> then run this command to import it:
>
> - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
> + wget -q -O- '$gpg_keyring_url' | gpg --import -
Hi. I agree this part of announce-gen is sub-optimal. There were
earlier discussions about solutions:
https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242
My first reaction was that we should use something like that instead,
and not your patch. However given how unreliable the GnuPG parameters
(different version compatibility, and some reports about bugs) are wrt
to key servers, I prefer your approach to mention a URL in the
announcement instead of suggesting --recv-keys or some variant of
--locate-external-keys. This also makes it much easier for anyone not
using GnuPG to locate the OpenPGP key.
Do you have push access to gnulib, or do you want me to polish up the
patch and push it?
/Simon
signature.asc
Description: PGP signature