libmpdclient icon indicating copy to clipboard operation
libmpdclient copied to clipboard
verified publisher icon MusicPlayerDaemon

2.24: Missing trust path between releases

Open dvzrv opened this issue 5 months ago • 4 comments

Hi 👋

When trying to upgrade the package on Arch Linux from 2.23 to 2.24, I noticed that the tag for 2.24, created by @jcorporation, is not signed.

All previous releases (tags and custom source tarballs) have been signed with @MaxKellermann 's OpenPGP key with the fingerprint 0392335A78083894A4301C43236E8A58C6DB4512.

On Arch Linux we follow best practices around the verification of upstream sources (see https://rfc.archlinux.page/0046-upstream-package-sources/). These require for us to check when a trust chain has been broken (which is the case with release v2.24). In addition we attempt to use transparent sources (i.e. the contents of a locked git tag in this case).

Please establish a chain of trust between the persons creating releases of this project by cross-signing your OpenPGP keys and creating a new, signed tag (e.g. 2.24.1), so that downstreams can use the release.

Thanks!

dvzrv avatar Aug 24 '25 00:08 dvzrv