On Fri, Sep 18, 2015 at 5:16 AM, Kristian Fiskerstrand <k...@gentoo.org> wrote: > I do sincerely hope package maintainers > have a well thought out setup for key management locally and in fact > verify the OpenPGP signatures vs known good keys, and that appropriate > measures are being taken in the case of non-maintainer commits that > doesn't reduce the level of security.
I'd be utterly shocked if even 30% of maintainers are checking upstream gpg keys when doing new releases. I'm sure it happens sometimes. I'd suggest adding it to the DCO when we actually have a DCO, though that doesn't actually ensure that anybody follows it. And the wording would have to be careful since not all upstreams even sign their releases at all, and if they do many/most maintainers probably haven't personally verified the keys. I certainly haven't met the upstream developers of any of the packages I maintain in-person - I haven't even met another Gentoo dev in-person. -- Rich
