On Wed, Sep 05, 2007 at 01:31:06AM +0200, Cyril Brulebois wrote: > What about the following? An Application Manager asks his/hers New > Maintainer applicant to sign the source packages, or more generally one > provides source packages on ones website, and publish the key with which > they were signed. (See also <http://mentors.debian.net>.) Doesn't the > current behaviour exactly fit these purposes?
Ah, ok, I probably misunderstood it's purpose then if it doesn't
intend to verify that it's signed by a DD.
However, it still fails to do what you describe: The .dsc can be
signed by *anyone* whose key I happen to have in my keyring, not only
by the person in the Maintainer: field, without giving any clue to
whose signature the .dsc has. I can't think what that's good for.
> > 1. Download the public key of Adam Attacker.
>
> Then it would be considered a user-assisted security hole at most, don't
> you think?
Well, many email clients automatically download the key that is needed
to verify a signature. The fact that a key exists in the public key
ring doesn't imply any trust at all.
Sami
signature.asc
Description: Digital signature
