[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

Torsten Landschoff <torsten@debian.org> writes:

> I will never revoke a signature I made on a key because somebody leaves
> Debian. That I signed that key tells people that he actually is that
> person. If he leaves Debian he is still that person.

There would be a special key (probably held by the debian-keyring
maintainer) to sign developer's keys. A valid signature by this key
will mean that the person in question is indeed a Debian developer.
When this is no longer the case, the signature must be revoked.

Of course developers, including the debian-keyring maintainer (using
his own key, not the special one) can leave their signatures on the
ex-developer's key.


Reply to: