Discussion: tarball signing practice
We recently started signing release tarballs with multiple keys. As that imposes some overhead in the release process, it might need further discussion.
- Do we want to keep this practice (multiple signatures)? What are the benefits and drawbacks?
- Is the keyring management good enough?
- Can we simplify the process by automation, e.g., by signing with a vault key shared by multiple people as in libreswan?
Edited by Zoltán Fridrich