On Tue, Sep 07, 2021 at 04:30:53PM -0400, Jeff King wrote: > > I am reasonably sure that I've done update with pgp.mit.edu when I > > refreshed the expiration last time, but apparently I didn't update > > the in-tree copy. I doubt that it is a good practice to ship the > > public key used to sign things in the repository in the repository > > itself, but if are not dropping the tag, I agree I should keep it up > > to date. > > Yeah, I agree that the is potentially problematic: it's a circular > dependency, plus updating tags is awkward, per Ævar's other message. It's not really as circular as it would appear at the outset -- at least not any more circular than any other situation, in reality. E.g. my favourite example: 1. you should verify the checksum of your distro's ISO before installing it 2. the checksum is available over a trusted https:// connection 3. the trust anchors for that https verification come with the browser package 4. which was installed from the ISO you downloaded the last time 5. goto 1 Bootstrapping trust is a hard problem and no matter how you look at it, at some point you have to just close your eyes and hope that the adversary isn't one step ahead of you. So, I'd say putting the key into the git repository itself is fine. After all, it gets imported into the local PGP keyring on someone's workstation, where it gets a separate life of its own. -K
