[FFmpeg-devel] [PATCH 1/2] MAINTAINERS: Add ED25519 key for tag/commit signing experiment

Michael Niedermayer michael at niedermayer.cc
Wed Aug 31 21:57:47 EEST 2022


On Mon, Aug 08, 2022 at 05:43:15PM +0200, Michael Niedermayer wrote:
> On Mon, Aug 08, 2022 at 12:16:36PM -0300, James Almer wrote:
> > On 8/8/2022 11:50 AM, Michael Niedermayer wrote:
> > > From: Michael Niedermayer <michael-git at niedermayer.cc>
> > > 
> > > Signed-off-by: Michael Niedermayer <michael-git at niedermayer.cc>
> > > ---
> > >   MAINTAINERS | 1 +
> > >   1 file changed, 1 insertion(+)
> > > 
> > > diff --git a/MAINTAINERS b/MAINTAINERS
> > > index 7ed15f96f6..ed2ec0b90c 100644
> > > --- a/MAINTAINERS
> > > +++ b/MAINTAINERS
> > > @@ -626,6 +626,7 @@ Leo Izen (thebombzen)         B6FD 3CFC 7ACF 83FC 9137 6945 5A71 C331 FD2F A19A
> > >   Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
> > >   Lynne                         FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464
> > >   Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
> > > +                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64
> > 
> > There is a "FFmpeg release signing key" key already, used for the tarballs,
> > and which you obviously have access to. Can we not use it for the release
> > tags too, instead of a new key to your name? 
> 
> possible
> 
> 
> > It would probably require
> > creating the git tags using the ffmpeg-devel at ffmpeg.org email.
> 
> If the goal is to get a "verified" sticker on github i think that would require
> an account on github too that has a gpg key and email of ffmpeg-devel at ffmpeg.org
> iam not sure about the security implications if a github account uses a
> public mailing list on a secondary email address

also i just noticed that "git tag" seems not to have any option to set the
tagger. I would have to hack the git config to set it to 
ffmpeg-devel at ffmpeg.org, that feels really like iam doing something thats not
supposed to be done. So for 5.1.1 ill stay with the natural thing and just
create the tag, but iam happy to set the tagger and key to anything people
want. Please start a RFC or something if you want so people can discuss
this, i wonder what other projects do ...

thx

[...]



-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Asymptotically faster algorithms should always be preferred if you have
asymptotical amounts of data
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220831/f3838355/attachment.sig>


More information about the ffmpeg-devel mailing list