[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

Robert Bihlmeyer wrote:

||  Torsten Landschoff <torsten@debian.org> writes:
||
||  > I will never revoke a signature I made on a key because somebody leaves
||  > Debian. That I signed that key tells people that he actually is that
||  > person. If he leaves Debian he is still that person.
||
||  There would be a special key (probably held by the debian-keyring
||  maintainer) to sign developer's keys. A valid signature by this key
||  will mean that the person in question is indeed a Debian developer.
||  When this is no longer the case, the signature must be revoked.
||
||  Of course developers, including the debian-keyring maintainer (using
||  his own key, not the special one) can leave their signatures on the
||  ex-developer's key.

What you actually sign is a user id on a public key, not the public
key itself.  When somebody steps down as developer, you can revoke the
signature that you put on

    Some Body <somebody@debian.org>

but not the one on

    Some Body <somebody@some.bodys.isp>

even though both user ids are on the same public key.

Ciao.                          Vincent (not a Debian developer (yet)).
Reply to: