[ANNOUNCE] makedumpfile 1.7.7

[HAGIO KAZUHITO(萩尾 一仁)]

On 2025/04/24 4:00, Leonidas Spyropoulos wrote:
> On 22/04/2025 10:58, YAMAZAKI MASAMITSU(山崎 真光) wrote:
>> Hi,
>>
>> We're pleased to announce the release of makedumpfile 1.7.7.
>> Thank you everyone for your help to maintain the tool.
>>
>> Download:
>> The latest makedumpfile can be downloaded from the following page.
>>        https://github.com/makedumpfile/makedumpfile/releases
>>
> Hello,
> 
> I'm a package maintainer for Arch Linux of the makedumpfile. Previous
> releases were signed both the commit and the tag with the GPG key of
> Kazuhito Hagio. The 1.7.7 release is not signed (neither commit nor the
> tag) and from a different person (YAMAZAKI MASAMITSU). From a chain of
> trust that's not great.
> 
> Ideally we'd like these to be GPG signed and have some kind of chain of
> trust from previous release to current.
> 
> To resolve the current situation I suggest, if possible, to add on the
> root of the project a text file with approved GPG keys who are releasing
> this project made with a signed commit from Kazuhito Hagio. This will
> establish a chain of trust between Hagio's GPG key and Masa's key. Or
> more complicated sign Masa's key with Hagio's. In both cases a new
> signed tag 1.7.8 will be required as of now 1.7.7 is not OK (in terms of
> chain of trust) and re-tagging is also bad for downstream systems and
> for security-wise.
> 
> You can find more information for Arch's motivation on this and other
> distro's in our recent RFC [0]
> 
> [0]: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/46
> 
> Cheers,
> 

sorry, I dropped the process because I needed to reduce the maintenance 
and release tasks of makedumpfile in handing it over to Masa.  When I 
was a crash-utility maintainer, I had not signed it and got no request 
for it, so I think it's not essential.

Thank you for the information, we will rethink it in the next release.

Thanks,
Kazu

p.s. we will be in holidays next week, and back on May 7.