Re: debsigs

[Henrique de Moraes Holschuh <hmh@debian.org>]

Hi Florian!

On Thu, 28 Mar 2002, Florian Weimer wrote:

> Henrique de Moraes Holschuh <hmh@debian.org> writes:
> 
> > We do not revoke keys because they are not invalid. We do not revoke the
> > signatures on UIDs mentioning @debian.org, because that would cause a lot of
> > trouble for the person to come back to the Debian project, I think. One
> > cannot revoke a revocation certificate, AFAIK...
> 
> Yes, you can.  Just sign the key again.  Recent GnuPG versions will
> handle this correctly.

Will that work correctly in remote keys (i.e. if one key that HAS the
revocation signature on top of the old signature, and fetches the new
signature, does it wipe the old sig and rev. sig?)

If yes, then we really should be revoking signatures on all @debian.org
*UIDs* that are no longer true.

> > Someone is trusted by the project if, and only if, he has a non-revoked key
> > in the Debian keyring. Removing a key from the Debian keyring effectively
> > removes all privileges that key has as far as Debian is concerned.
> 
> I don't think it's a good idea to express trust by membership in the
> Debian keyring.  Why can't we use bare OpenPGP for that?

We don't use that because (AFAIK):

1. It is slower by a factor of 10, if not more.
2. It was not available in any functional sense when the current system
   was implemented, using good old PGP.

If (1) is not a problem anymore, and you are offering to fix all the
scripts...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org