Christoph Anton Mitterer dijo [Wed, Jun 18, 2014 at 04:21:36AM +0200]: > On Mon, 2014-06-16 at 20:14 +0200, Jakub Wilk wrote: > > debian-keyring is not useful for automatic authentication of source > > packages. > Well to be honest I never fully understood the idea behind > debian-keyring... > IMHO this should be actually debian-developers-keyring and it should be > intended just for offline systems (and thus have only little use in the > real world). > (...)
Thanks for bringing this topic up. I'm snipping your very detailed implementation proposal, which does not sound like it was written at 4AM at all ;-) I do feel the keyring-maint package is a leftover from days long gone. Nowadays the keyring is kept at a DVCS tree, and regularly exported to a publicly accessible instance. Furthermore, it stores its full history, so you can even check if $foo was a valid key at some point in the past. FWIW, I was thinking about including the possible disappearance as one of the points to talk about in the DebConf BoF we proposed regarding keyring-maint.
signature.asc
Description: Digital signature