Change log level at g_log_remove_handler

[platform/upstream/glib.git] / SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
index 3505b2a..c7fb816 100644 (file)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -17,6 +17,17 @@ Under GLib’s versioning scheme, stable release series have an *even* minor
 component (for example, 2.66.0, 2.66.1, 2.68.3), and development release series
 have an *odd* minor component (2.67.1, 2.69.0).
 
+## Signed Releases
+
+The git tags for all releases ≥2.58.0 are signed by a maintainer using
+[git-evtag](https://github.com/cgwalters/git-evtag). The maintainer will use
+their personal GPG key; there is currently not necessarily a formal chain of
+trust for these keys. Please [create an issue](https://gitlab.gnome.org/GNOME/glib/-/issues/new)
+if you would like to work on improving this.
+
+Unsigned releases ≥2.58.0 should not be trusted. Releases prior to 2.58.0 were
+not signed.
+
 ## Reporting a Vulnerability
 
 If you think you've identified a security issue in GLib, GObject or GIO, please
@@ -52,9 +63,7 @@ are then:
 ## Security Announcements
 
 Security announcements are made publicly via the
-[`distributor` tag on discourse.gnome.org](https://discourse.gnome.org/tag/distributor)
-and cross-posted to the
-[distributor-list](https://mail.gnome.org/mailman/listinfo/distributor-list).
+[`distributor` tag on discourse.gnome.org](https://discourse.gnome.org/tag/distributor).
 
 Announcements for security issues with wide applicability or high impact may
 additionally be made via