Hello, On Mon 22 Jul 2019 at 07:55PM +01, Ian Jackson wrote: > That means the original "uploader" information (ie the identity of the > person signing the git tag) is not any more present in the source > package. To rememdy that I propose the following new field: > > Git-Tag-Info: FINGERPRINT Firstname Surname <email@address> > > The parsing rules are: the first word is the fingerprint entirely in > hex. The rest is from the tag's "tagger" line (and may not match). AIUI a fingerprint fails to uniquely identify a PGP key unless you also include the cryptographic algorithm that was used and the key size. So for example, my current key is uniquely identified by writing both 4096R and 8DC2487E51ABDD90B5C4753F0F56D0553B6D411B. Even though it's unlikely we'll get a clash of fingerprints within the Debian keyring, it seems the algorithm and keysize ought to be included alongside the fingerprint, if the above is right. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature