Unbound 1.24.1 released
Phil Pennock
unbound-users+phil at spodhuis.org
Sat Oct 25 00:21:57 UTC 2025
On 2025-10-24 at 18:38 +0200, Petr Menšík via Unbound-users wrote:
> However, my Fedora package has failed again on PGP key verification. New
> release is signed with key 948EB42322C5D00B79340F5DCFF3344D9087A490.
For myself, the announcement 4 days earlier (on the 20th) in the email
with Subject of "Unbound release - introducing extra PGP key" was quite
helpful.
Eg: https://lists.nlnetlabs.nl/pipermail/unbound-users/2025-October/008598.html
A single keyring for "all keys valid for this product" would be helpful,
albeit too often I'd see folks fetch it just before fetching the
software release assets and verify against the key just retrieved from
the same place and then be confused as to why I'd flag it as an issue.
So it's not as simple as "put it in the same place" and needs very
careful messaging to at least try to discourage people from mistakes.
As to the <https://nlnetlabs.nl/people/> page, Yorgos' key is one of
only three where the key is distributed from a site under their
administrative control instead of the public swamps, so one of only
three which doesn't make me wince. This is a definite improvement.
(If PGP weren't dying such that I'm reluctant to spend effort on
advocacy any more, I'd nudge towards WKD, as used by kernel.org,
debian.org, archlinux.org, etc, so that `gpg --locate-external-keys
foo at nlnetlabs.nl` could work; as it is, I'll leave it as this note that
a world which is simpler for relying parties is possible, if folks are
interested.)
-Phil
More information about the Unbound-users
mailing list