Am I the only person in the universe who verifies signatures for software source tarballs? This is the *second* time I've had to report this exact same ticket on the project:

And the fact that they're replacing PGP signatures with a tool whose README (a) has a big warning that it's alpha-quality and should not be used, and (b) says that it is not a suitable replacement for PGP signatures and should not be used as such... :sad_but_cool:

Interesting because it seems they’re signing their git tags diligently:

I wonder what do they mean by “having access to the signing key”. Sadly there are no procedures for access described on

Sign in to participate in the conversation
Mastodon for Tech Folks

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!