New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771897723

Comment:
> Will publishing "it's legit, please update, i lost old key" message in same domain where source and new key is placed be enough?

I think ideally no, since checking signatures includes the belief that the domain can't be fully trusted either. So some other method, including checking with people who know the dev personally and such (?).

If your point is that adding this to xbps-src requires thought on policy and how to handle keys, you are right, and I haven't given almost any thought to that side of it.