On Tue, Sep 07, 2021 at 12:49:00PM -0700, Junio C Hamano wrote:
> > Have you extended the expiration on it? I wasn't able to find any
> > updates on the keyservers I checked. But regardless, we should probably
> > ship an updated one via the tag.
>
> I am reasonably sure that I've done update with pgp.mit.edu when I
> refreshed the expiration last time, but apparently I didn't update
> the in-tree copy. I doubt that it is a good practice to ship the
> public key used to sign things in the repository in the repository
> itself, but if are not dropping the tag, I agree I should keep it up
> to date.
Yeah, I agree that the is potentially problematic: it's a circular
dependency, plus updating tags is awkward, per Ævar's other message.
Perhaps we should replace it with instructions on getting the key?
I tried a blind "gpg --recv-keys" and came up with an old version ("not
changed" according to GPG). That hits keys.openpgp.org by default. A lot
of the keyservers used to peer with each other, but I've heard that
there's less of that these days due to key-spamming attacks (but it's
not really something I keep up with).
I admit that I never actually verify git.git's tags anyway (why would I?
I'm fetching unsigned branch tips from your repo constantly anyway). I
only noticed because I was looking fora bug in "git tag -verify
--format". :)
-Peff
