* Martin Quinson (martin.quinson@tuxfamily.org) wrote: > $ LC_ALL=C gpg --keyserver keyring.debian.org --recv-keys E145F334 > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > > This is the ID of my key, available from www.keyserver.net and signed by 2 > DD. Did I mess something up ? keyring.debian.org has only DDs in it. I think people were suggesting using the public keyservers. keyring.debian.org isn't a part of the public key servers. > Shouldn't Debian make sure that work submition from non-DD contributor are > signed, just like it does for the work submition from DD ? Interesting question. While it's not a bad idea I don't see it as entirely necessary either. At least when sponsoring a package the DD performing the sponsor must check everything regardless of if it was sent to them signed or not. They have to check that the tarball given matches that on the official site (or verify that it's clean and correct some other way), they have to very carefully look through the diff, they have to build the package themselves, they should compare the diff to the prior versions diff if there was one, etc, etc. It' s not as much work as doing the packaging themselves but it still is a fair bit of work. Once complete the sponsor should be completely confident with the package. DD's are expected to do this work for themselves too but there's no one who's going to double-check it before it's put into the system so there has to be a way to verify that it's been done- that's why DD's sign their packages before uploading (at least one reason anyway). DD's are trusted to have checked over their packages and whatnot and signing the packages basically says "I've checked over it and it should be included." Since, at least at one point not sure if it's still true, packages could be uploaded via anonymous ftp so long as it was signed. I don't know much about the translation work. I would expect that this work is checked by some DD before being incorporated too, even if it's just to ensure the package builds correctly with it since we don't all know every language.. The same is kind of true for patches which change code the DD's might not be extremely familiar with, though there at least they could consult with upstream if they were unsure. I'm not sure what kind of double-check could be done on the translation work that's submitted, for example, via the BTS. I'm also not sure it's entirely necessary, I would find it pretty unlikely for someone to mount an attack by submitting patches which translate debconf questions to ask other things or something.. Stephen
Attachment:
pgp17g1OHhdlD.pgp
Description: PGP signature