l...@gnu.org (Ludovic Courtès) skribis:
> Even for GNU, we’d have to ask the FSF, and obviously the set of
> authorized keys for each package keeps changing. So we’d need the FSF
> to provide us with a database/server to answer questions such as “which
> public keys could sign for GNU Foo at this date?” in a secure way.
Actually I see that GSRC already maintains per-package keyrings.
How is this maintained, Brandon? That is, where do you get information
on which keys to put in the keyring, etc.?
Thanks,
Ludo’.
PS: For context, see the thread starting at
<https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00115.html>.
