Re: non-DD contributors and the debian keyring

Wed, 20 Aug 2003 13:35:28 -0500 

On Wed, Aug 20, 2003 at 11:03:32AM -0500, Steve Langasek wrote:
> On Wed, Aug 20, 2003 at 11:23:47AM +0200, Martin Quinson wrote:
> > On Wed, Aug 20, 2003 at 06:46:34PM +1000, Martin Michlmayr wrote:
> > > * Goswin von Brederlow <[EMAIL PROTECTED]> [2003-08-20 10:31]:
> > > > > Martin Quinson <[EMAIL PROTECTED]> wrote:
> > > > > > I just wondered if it would be possible for non-developper
> > > > > > contributors to Debian to get their GPG key in the Debian 
> > > > > > keyserver. 
> > > > 
> > > > You can also apply as a NM for translation work. You don't need to
> > > > maintaine a package or know much about the packaging system for
> > > > that. You get different task&skill tests.
> > > 
> > >    V I P   Martin Quinson <[EMAIL PROTECTED]>
> 
> > Exact. I *did* apply. I'm even pretty well advanced in the process.
> 
> > $ LC_ALL=C gpg --keyserver keyring.debian.org --recv-keys E145F334 
> > gpg: no valid OpenPGP data found.
> > gpg: Total number processed: 0
> 
> > This is the ID of my key, available from www.keyserver.net and signed by 2
> > DD. Did I mess something up ?
> 
> > Shouldn't Debian make sure that work submition from non-DD contributor are
> > signed, just like it does for the work submition from DD ?
> 
> The keyring on keyring.debian.org is used directly as a means of
> authorizing people to a number of Debian resources, including the
> package upload queue and d-d-a.  Whether you agree with this design or
> not, it means that the Debian keyserver is not suitable for use as a
> general-purpose means of *authenticating* people.  For authenticating
> PGP users to one another, you should use the usual Web of Trust to
> achieve this.

I have to confess my ignorance here. Since it seems to be 4 keyrings on that
server (according to /usr/share/doc/debian-keyring/README.gz at least), I
was wondering if it would be possible to add a 5th for the trusted
contributors not being DD.

I can well imagine that the debian-keyring.{gpg,pgp} is used to allow people
to upload packages and such and want certainly not to get into that ring
(yet -- I'm in the NM process). But I was dreaming of such trust facility
for non DD contributors.


Another point is that it would constitute a strong signal to non DD
contributors: They would be trusted by Debian. According to the cathedral
and the bazzar, that's the way it should be if not too technically
difficult...


Thanks, Mt.

-- 
The unavoidable price of reliability is simplicity.
    --Hoare

Reply via email to