[FFmpeg-devel] [PATCH 1/2] MAINTAINERS: Add ED25519 key for tag/commit signing experiment

Mon Aug 8 18:43:15 EEST 2022

On Mon, Aug 08, 2022 at 12:16:36PM -0300, James Almer wrote:
> On 8/8/2022 11:50 AM, Michael Niedermayer wrote:
> > From: Michael Niedermayer <michael-git at niedermayer.cc>
> > 
> > Signed-off-by: Michael Niedermayer <michael-git at niedermayer.cc>
> > ---
> >   MAINTAINERS | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 7ed15f96f6..ed2ec0b90c 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -626,6 +626,7 @@ Leo Izen (thebombzen)         B6FD 3CFC 7ACF 83FC 9137 6945 5A71 C331 FD2F A19A
> >   Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
> >   Lynne                         FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464
> >   Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
> > +                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64
> 
> There is a "FFmpeg release signing key" key already, used for the tarballs,
> and which you obviously have access to. Can we not use it for the release
> tags too, instead of a new key to your name? 

possible


> It would probably require
> creating the git tags using the ffmpeg-devel at ffmpeg.org email.

If the goal is to get a "verified" sticker on github i think that would require
an account on github too that has a gpg key and email of ffmpeg-devel at ffmpeg.org
iam not sure about the security implications if a github account uses a
public mailing list on a secondary email address


> 
> This new key of yours could be used for your commits, but for the release
> tags, if possible better use the same key the relevant tarball will also
> use, IMO. It will simplify package managers that already fetch tarballs to
> also fetch git tags as fallback and not require the use of a different key
> for verification.
> 
> >   Nicolas George                24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93
> >   Niklas Haas (haasn)           1DDB 8076 B14D 5B48 32FC 99D9 EB52 DA9C 02BA 6FB4
> >   Nikolay Aleksandrov           8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
> 

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220808/da8ef6fe/attachment.sig>