[ moving that part of the discussion to ubuntu-motu ] On 2008-07-09 14:16:33 +0200, Stephan Hermann wrote: > And with the Ubuntu Environment in general, giving out upload rights to > known contributors, we are showing to us and them that we trust those > people. I wonder if we still have this "you need at least one ubuntu > maintainer, debian maintainer who signed your gpg key" rule.
Was there ever such a rule? I've done some graphs on the web-of-trust for the gpg keys of MOTU and core-dev in February 2008: http://members.ping.de/~mb/ubuntu-keystats/ [1] It only shows the connections of gpg keys from core-dev, MOTU and combined. I didn't include connections to DD keys. I also need to update those graphs. But as one can see there is only a small set of connected gpg keys from MOTU and a large set not connected at all. core-dev looks a little bit better. But this was all in Feb 2008 and I really need to update those graphs. The question is how to improve the web-of-trust of MOTU? As much as I'd like to see that new MOTUs have their gpg key signed by a MOTU, core-dev, or even a DD, I fear that it would be a to high bar. In the current situation I'd also be happy with a short trust path to a ubuntu-dev or DD key. Unfortunately I see currently only a recommendation for (new and old) MOTUs to get there gpg keys signed when there is a opportunity to improve our web-of-trust as practiable. Regards, Michael 1: This graphs were made with sig2dot and dot. There are also the keyrings I used. If somebody is interested to create updated graphs feel free to use these keyrings as a starting point. -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu