On 2010-05-06 21:42:40 +0100, Dmitrijs Ledkovs wrote: > Debian is not using public gpg servers. Instead they maintain their > own keyring shipped in the debian-keyring package. You cannot add > signatures to that from non-dd's. And DD's are only keeping real > signatures on their keys from key signing parties.
That's not fully correct. The keys from DDs are also on the public keys servers, but a key has to be in the seperate managed debian-keyring to have upload rights to Debian. The membership in this keyring is important, not the signatures on the key. Of course it is possible to sign a key of a DD without being a DD oneself. I've signatures from DDs on my key and also have signed their keys (without being a DD). And as the keys are on public keyservers, you have no control on the signatures on your key. But you can tell gpg how much you trust (or not trust) a key. And only trust other keys if they have signatures from trusted keys. Michael -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss