Unbound 1.24.1 released

[Yorgos Thessalonikefs]

Hi Phil, (and Petr),

The plan is to have a single key for signing software that is easily 
manageable across colleagues with such responsibilities.

Most of the pieces are already in place but we need some final 
coordination to activate the new system.

I am not sure about running our own WKD but I can of course bring the 
suggestion to the table.

Best regards,
-- Yorgos


On 25/10/2025 02:21, Phil Pennock via Unbound-users wrote:
> On 2025-10-24 at 18:38 +0200, Petr Menšík via Unbound-users wrote:
>> However, my Fedora package has failed again on PGP key verification. New
>> release is signed with key 948EB42322C5D00B79340F5DCFF3344D9087A490.
> 
> For myself, the announcement 4 days earlier (on the 20th) in the email
> with Subject of "Unbound release - introducing extra PGP key" was quite
> helpful.
> 
> Eg: https://lists.nlnetlabs.nl/pipermail/unbound-users/2025-October/008598.html
> 
> A single keyring for "all keys valid for this product" would be helpful,
> albeit too often I'd see folks fetch it just before fetching the
> software release assets and verify against the key just retrieved from
> the same place and then be confused as to why I'd flag it as an issue.
> So it's not as simple as "put it in the same place" and needs very
> careful messaging to at least try to discourage people from mistakes.
> 
> As to the <https://nlnetlabs.nl/people/> page, Yorgos' key is one of
> only three where the key is distributed from a site under their
> administrative control instead of the public swamps, so one of only
> three which doesn't make me wince.  This is a definite improvement.
> 
> (If PGP weren't dying such that I'm reluctant to spend effort on
> advocacy any more, I'd nudge towards WKD, as used by kernel.org,
> debian.org, archlinux.org, etc, so that `gpg --locate-external-keys
> foo at nlnetlabs.nl` could work; as it is, I'll leave it as this note that
> a world which is simpler for relying parties is possible, if folks are
> interested.)
> 
> -Phil