[Anand Kumria] > - require the developer to generate a new key > - require the developer to have _at least_ N > number of other, existing developers sign > their key > - once the developer submits their new key, > the keyring-maint can select M of the N > signatures from existing developers and ask > them to further assure keyring-maint that the > developer in question is who they say they > are. > - once that check passes, update the keyring. > > I would suggest that M be 2 and N be 3.
In the 8 years I've been using Debian, I've met, in real life, exactly one developer (and I think 2 former developers). At that rate, were I a developer and needed to revoke/reissue a gpg key, it would take approximately 24 years to accumulate enough signatures to do so. So N=3 sounds high, to me. OTOH, complaints about the keyring maintainer being slow would probably go away, since a 2-month turnaround time is pretty negligible compared to 24 years. (My point isn't really the 24 years, it's that some of us aren't geographically situated to get 3 developer signatures as quickly as you probably think.)
signature.asc
Description: Digital signature
