Thanks for looking into this so quickly! It appears though, that the commit marking the bug as fixed, only deals with the assembly part. I don't see any additional commits in salsa either. This means when the next upstream release comes and it is (as announced to be possible with the last release) signed with one of the other keys, uscan will fail to verify the signature. The additional keys are listed in MAINTAINERS inside the last (signed) tarball. Additionally the git commit adding the keys to the list was also signed with the same key as used for the last few release tags and the last release archive. I only listed instructions (to the best of my knowledge, I may be wrong), since I assumed you might be more comfortable adding the keys yourself instead of having to check `gpg --list-packets` from a patched keyring file to ensure no additional malicious keys were added. If it’s preferred I can also send a patch. Cheers Oneric
Attachment:
signature.asc
Description: PGP signature