Salvo Tomaselli <tiposchi@tiscali.it> writes: >> hi, on "no public key" list there are my uploads, I'm debian maintainer >> (https://nm.debian.org/person/fantu/), I signed with my key and I have >> DM upload right for them >> (https://qa.debian.org/developer.php?login=fantonifabio%40tiscali.it) > > I think he just didn't check the debian-maintainer keyring at all. Dmitri, could you re-run the numbers with the debian-maintainer keyring? The numbers suggest to me that signing strength of DSC signatures on the contrary really do provide value and that it is working well. The instances of RIPEMD160/SHA1 I checked were old, and the numbers of failures are quite low compared to overall number of uploaded packages. Thus we have good assurance on the majority of packages. We should make sure RIPEMD160/SHA1 signatures are rejected going forward, as well as the wrong-key-usage. /Simon
Attachment:
signature.asc
Description: PGP signature