[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

why are improperly signed uploads accepted?

A concrete example is libhtml-parser-perl 3.12-1. The message
that was sent to debian-devel-changes
was signed by a GPG key with ID 6D85A41E, which is not in the debian
keyring. Michael Alan Dorman, the maintainer, has a different key in
the ring. (I could not find the key on the keyservers, either.)

I was under the impression that uploads require a changes message
signed by a key in debian-keyring for them to be accepted. Is this not
the case, or was there an oversight somewhere?

(please CC me)

Attachment: signature.ng
Description: PGP signature

Reply to: