[ANNOUNCE] c-ares.org downloads and website updates

[Brad House]

On 6/6/24 6:11 PM, Nikolaos Chatzikonstantinou via c-ares wrote:

>
> Hello, congrats on the update. I don't mean to be annoying but the 
> introduction of a new key should be in an email signed by the old key. 
> The download page could clarify also which versions are expected to be 
> signed by either key and which are only by Daniel, e.g. from >=1.30 
> both keys are valid. This is probably in the changelog or NEWS file 
> (if not please add) but I didn't check.
>
I'm pretty sure the mailing list updates too many aspects of the message 
for a signed email to properly pass through and be able to be 
validated.  Maybe I'm wrong here.  If I'm right though, what other way 
could we "prove" my key is allowed to be used?

I did briefly discuss with Daniel about him signing my key with his as a 
way to indicate some level of trust in my key, since we're across the 
ocean from eachother we'd need to do ID verification via a video chat.  
We just haven't gotten around to that yet, would that "suffice"?

Regarding documenting whose key was used when, historically we never 
even documented the valid signing key, there was no reference at all 
other than just having the signatures for each package themselves.  
Daniel has used a couple over the years, a DSA 1024bit key, and now an 
RSA 2048bit key.  Mine is an ed25519 sub key used for signing protected 
by an rsa4096 certification key, we'll see if that causes any issues too :)

-Brad