Package: nm.debian.org Severity: important So, today I discovered that nm2 doesn't actually use the manually curated debian keyring to fetch gpg keys to use for e.g. validating signatures in the statements. Instead, it fatches the keys from the public keyserver networks.
I consider this a misfuture: the very goal of the debian keyring is to
have clean and tidy keyring full of things we can trust, this behaviour
could lead to e.g. accepting a signature done by a key that is not
considered trusted by our keyring maintainers.
I acknowledge that often people forget to push their keys to
keyring.debian.org when updating expiries or subkeys, but today happened
the exact opposite, where a DD pushed new subkeys to the debian keyring
but not to the public network, and as a result he couldn't advocate a
process.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
