Also sprach "Samuele Giovanni Tonon" <[EMAIL PROTECTED]>  am Tage Tue, 9 Jul 
2002 12:31:12 +0200:

> On Mon, Jul 08, 2002 at 11:31:55PM +0100, Matthew Johnson wrote:
> > On Mon, 2002-07-08 at 22:15, Marcel Weber wrote:
> > >  
> > The main problem is presumably with trust of the keys. If all the debian
> > developers / package maintainers had keys signed by a central debian key
> > - they you still have to trust that debian key. Events like debconf
> > could certainly be used to check fingerprints and sign keys - but that
> > still leaves a lot of ppl without an easy way to check.
> Is it possible to make a statistic on how many DD are in this situation ?
> What about on identify this "weak nodes" and then try to enforce them ?
> cya
> Samuele

As far as I know, to become a maintainer it is necessary to let ones pgp key be 
signed by another debian maintainer. So what about a central Debian key, that 
signs the keys of some reliable maintainers, which on the counterpart could 
sign the others keys?

Or even better: what about a central debian maintainer key repository? This 
repository could then be installed as a .deb package. And ONLY 
_this_very_package_ would be signed with the debian über-key. And for every 
other package to be installed, the public key would have to be in this the 
locally installed key db. For being added to this db one would need the 
approval of say, two already trusted debian maintainers. One could even make a 
webinterface or something to automate this process.

Just my ideas


PGP / GPG Key:

Attachment: pgp26lmfBzHiA.pgp
Description: PGP signature

Reply via email to