Followup-For: Bug #1026277 On Sun, 28 May 2023 16:50:31 +0100, James wrote: > * My release signing has been inconsistent, partly because I'm not sure I > have a long-term commitment to being a Debian Maintainer/Developer, and > partly because I'm not sure I can reliably keep those keys secure (so, at > best I think they would provide some integrity verification support, but > I don't think they really attest highly that I'm the sole or uncompromised > author). Not a particularly useful mindset to have, some might argue, but > it does lead to me towards using ephemeral keypairs (somewhere, once, I > had > some web-of-trust identity, but I haven't continued to use or maintain > it).
In retrospect, I think this is probably an argument for exploring and learning better signing practices rather than a packaging problem. (also, to nitpick / clarify: when referring to authorship there, that was only in reference to the packaging and edits made from the existing published open source game engine code)
