I package stuff for distros, in this case I'm the maintainer for the mattermost and mattermost-desktop packages in official Arch Linux repositories and keep a recipe for this plugin and others packaged in the AUR.
Previous releases have had the assembled artifact bundle GPG signed by a known party. The latest release has an unsigned artifact.
If this is an oversight can I request that it get signed so we don't have an unexplained laps in security/custody attestation? If signing assets is not going do be done could somebody with access to the previously used sigining key make a signed note to that effect? The key previously used was C55881B80F69E863B85AD5D1D1B54B47A5CEFEC4 identifying as Mattermost, Inc. support@mattermost.com.
Thanks.
I package stuff for distros, in this case I'm the maintainer for the mattermost and mattermost-desktop packages in official Arch Linux repositories and keep a recipe for this plugin and others packaged in the AUR.
Previous releases have had the assembled artifact bundle GPG signed by a known party. The latest release has an unsigned artifact.
If this is an oversight can I request that it get signed so we don't have an unexplained laps in security/custody attestation? If signing assets is not going do be done could somebody with access to the previously used sigining key make a signed note to that effect? The key previously used was
C55881B80F69E863B85AD5D1D1B54B47A5CEFEC4identifying as Mattermost, Inc. support@mattermost.com.Thanks.