When using gradle dependency verification you bless a specific release key to simplify dependency version bumps. If I understand correctly this is the project release key for the next year or so:
57A9B92FEEDC551C3A5E5E5F6373846688F587B4
I was unable to verify that by any out-of-band means other than here. So first off, can you just confirm here that this is correct?
It would be really nice if you added a SECURITY.md to the repo with some details on this, which GitHub will present in a tab next to the README on the first page as that strengthens the relationship between key and project. An example of this can be found in for example the jackson project:
https://github.com/fasterxml/jackson?tab=security-ov-file
But there are many projects that have adopted this strategy.
When using gradle dependency verification you bless a specific release key to simplify dependency version bumps. If I understand correctly this is the project release key for the next year or so:
I was unable to verify that by any out-of-band means other than here. So first off, can you just confirm here that this is correct?
It would be really nice if you added a SECURITY.md to the repo with some details on this, which GitHub will present in a tab next to the README on the first page as that strengthens the relationship between key and project. An example of this can be found in for example the jackson project:
https://github.com/fasterxml/jackson?tab=security-ov-file
But there are many projects that have adopted this strategy.