Re: Signing Packages.gz
Robert Bihlmeyer wrote:
|| Torsten Landschoff <email@example.com> writes:
|| > I will never revoke a signature I made on a key because somebody leaves
|| > Debian. That I signed that key tells people that he actually is that
|| > person. If he leaves Debian he is still that person.
|| There would be a special key (probably held by the debian-keyring
|| maintainer) to sign developer's keys. A valid signature by this key
|| will mean that the person in question is indeed a Debian developer.
|| When this is no longer the case, the signature must be revoked.
|| Of course developers, including the debian-keyring maintainer (using
|| his own key, not the special one) can leave their signatures on the
|| ex-developer's key.
What you actually sign is a user id on a public key, not the public
key itself. When somebody steps down as developer, you can revoke the
signature that you put on
Some Body <firstname.lastname@example.org>
but not the one on
Some Body <email@example.com>
even though both user ids are on the same public key.
Ciao. Vincent (not a Debian developer (yet)).