Hi, So everyone knows that the declassification of -private isn't going to happen any time soon. Why not do the opposite? there is probably more interest in that and would be "easier" to implement.
At present, new DDs can access emails that were sent to -private years ago. People who might (or might not) be a member of the project and sent an email may not necessarily agree to that. Or a less controversial example: put simply, if an unauthorised person gets a hand on master.d.o there is no hope for those messages. So, "the opposite" of declassifying: instead of finding out what can be declassified, remove all "should remain private forever", VAC, and similar messages from the archive and put them in a tarball which is later encrypted by a key that is to be split using SSS. Effectively preventing people from accessing those messages unless really necessary (to the extent that the cooperation from people who have a part of the shared secret is needed). Let's call this "d-private burial". The process could be done for all messages older than d days (365, for example) every m months (12, for example) and new tarballs could include the previous one, so that only one tarball exists in master.d.o. Access to old tarballs would then require those who have parts of the keys to the new ones and those with parts of the keys of the old ones - or cracking the encryption, whatever happens first. Comments? From a bag of random, years-old, thoughts, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201306182249.56588.geiss...@debian.org