Document qubes-secpack PGP key inclusion criteria

This commit is contained in:
Andrew David Wong 2021-06-29 15:42:02 -07:00
parent 3253b6b91e
commit a2e3dfe7a7
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17

View File

@ -174,6 +174,17 @@ signatures) are provided to ensure that the system is robust (e.g., against a
potential failure in Git tag-based verification) and to give users more options
to verify the files.
## PGP key inclusion criteria
The `qubes-secpack` generally includes only those PGP keys used to sign some
kind of official project artifact, such as Qubes release ISOs (release signing
keys), Git tags and commits (code signing, doc signing, and security team
keys), and the `qubes-secpack`'s own files and Git tags (security team keys
again). This means that email keys are generally not included, even for
official project email addresses. There is one exception to this rule: the
official [Qubes Security Team](/security/#qubes-security-team) email address,
which is used to report security vulnerabilities in Qubes OS to our security
team.
## History and rationale