Re: [ANNOUNCE] makedumpfile 1.7.7

[Leonidas Spyropoulos <artafinde@archlinux.org>]

[-- Attachment #1.1.1: Type: text/plain, Size: 1574 bytes --]

On 22/04/2025 10:58, YAMAZAKI MASAMITSU(山崎 真光) wrote:
> Hi,
> 
> We're pleased to announce the release of makedumpfile 1.7.7.
> Thank you everyone for your help to maintain the tool.
> 
> Download:
> The latest makedumpfile can be downloaded from the following page.
>       https://github.com/makedumpfile/makedumpfile/releases
> 
Hello,

I'm a package maintainer for Arch Linux of the makedumpfile. Previous
releases were signed both the commit and the tag with the GPG key of
Kazuhito Hagio. The 1.7.7 release is not signed (neither commit nor the
tag) and from a different person (YAMAZAKI MASAMITSU). From a chain of
trust that's not great.

Ideally we'd like these to be GPG signed and have some kind of chain of
trust from previous release to current.

To resolve the current situation I suggest, if possible, to add on the
root of the project a text file with approved GPG keys who are releasing
this project made with a signed commit from Kazuhito Hagio. This will
establish a chain of trust between Hagio's GPG key and Masa's key. Or
more complicated sign Masa's key with Hagio's. In both cases a new
signed tag 1.7.8 will be required as of now 1.7.7 is not OK (in terms of
chain of trust) and re-tagging is also bad for downstream systems and
for security-wise.

You can find more information for Arch's motivation on this and other
distro's in our recent RFC [0]

[0]: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/46

Cheers,

-- 
Leonidas Spyropoulos
Developer & DevOps
PGP: 59E43E106B247368

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 979 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]