Re: RFS: nautilus-clamscan
Clement Lorteau wrote:
If I were intimately familiar with a package and had looked at
EVERYTHING, I would be comfortable
uploading a package signed with an unverified key. But that is a lot of
work (and I am basically
I do live near Paris. I'll contact you in private. However, is the key
signing needed for uploading the package? I had 2 versions of another
package uploaded without having to have my key signed.
Your GPG key is not signed by anyone. You should try to meet someone
that can sign it, preferably a DD or someone whose key is signed by a
DD. Look at this page:
If you live in Paris or near Paris, I can sign your key.
asking everyone to hold me accountable for any problems ;-).
It is much more likely that I would not duplicate someone else's
effort. When I decide to accept what
someone else has done, then it become much more important to be able to
identify that person. At
the point where I might want to say I got code from someone else, the
signed key becomes critical.
I could upload a package that was sent with an unverified key, but that
would speak volumes about
my judgement. When I sign a package (or another key for that matter), a
person can rely on my
judgement as input. I do not promote worthless input. It should be
easy to understand why a person
would hesitate to accept an unverified key since it could make their