Re: non-DD contributors and the debian keyring

To: debian-devel@lists.debian.org
Subject: Re: non-DD contributors and the debian keyring
From: Martin Quinson <martin.quinson@tuxfamily.org>
Date: Wed, 20 Aug 2003 20:34:01 +0200
Message-id: <[🔎] 20030820183401.GU29600@galadriel>
In-reply-to: <[🔎] 20030820160330.GE11791@tennyson.netexpress.net>
References: <[🔎] 20030819160506.GA29600@galadriel> <[🔎] E19pDh1-0000jJ-8R@mid.downhill.at.eu.org> <[🔎] 87oeykybl0.fsf@mrvn.homelinux.org> <[🔎] 20030820084634.GA27115@regression.cyrius.com> <[🔎] 20030820092347.GG29600@galadriel> <[🔎] 20030820160330.GE11791@tennyson.netexpress.net>

On Wed, Aug 20, 2003 at 11:03:32AM -0500, Steve Langasek wrote:
> On Wed, Aug 20, 2003 at 11:23:47AM +0200, Martin Quinson wrote:
> > On Wed, Aug 20, 2003 at 06:46:34PM +1000, Martin Michlmayr wrote:
> > > * Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> [2003-08-20 10:31]:
> > > > > Martin Quinson <martin.quinson@tuxfamily.org> wrote:
> > > > > > I just wondered if it would be possible for non-developper
> > > > > > contributors to Debian to get their GPG key in the Debian keyserver. 
> > > > 
> > > > You can also apply as a NM for translation work. You don't need to
> > > > maintaine a package or know much about the packaging system for
> > > > that. You get different task&skill tests.
> > > 
> > >    V I P   Martin Quinson <Martin.Quinson@tuxfamily.org>
> 
> > Exact. I *did* apply. I'm even pretty well advanced in the process.
> 
> > $ LC_ALL=C gpg --keyserver keyring.debian.org --recv-keys E145F334 
> > gpg: no valid OpenPGP data found.
> > gpg: Total number processed: 0
> 
> > This is the ID of my key, available from www.keyserver.net and signed by 2
> > DD. Did I mess something up ?
> 
> > Shouldn't Debian make sure that work submition from non-DD contributor are
> > signed, just like it does for the work submition from DD ?
> 
> The keyring on keyring.debian.org is used directly as a means of
> authorizing people to a number of Debian resources, including the
> package upload queue and d-d-a.  Whether you agree with this design or
> not, it means that the Debian keyserver is not suitable for use as a
> general-purpose means of *authenticating* people.  For authenticating
> PGP users to one another, you should use the usual Web of Trust to
> achieve this.

I have to confess my ignorance here. Since it seems to be 4 keyrings on that
server (according to /usr/share/doc/debian-keyring/README.gz at least), I
was wondering if it would be possible to add a 5th for the trusted
contributors not being DD.

I can well imagine that the debian-keyring.{gpg,pgp} is used to allow people
to upload packages and such and want certainly not to get into that ring
(yet -- I'm in the NM process). But I was dreaming of such trust facility
for non DD contributors.


Another point is that it would constitute a strong signal to non DD
contributors: They would be trusted by Debian. According to the cathedral
and the bazzar, that's the way it should be if not too technically
difficult...


Thanks, Mt.

-- 
The unavoidable price of reliability is simplicity.
    --Hoare

Reply to:

References:
- non-DD contributors and the debian keyring
  - From: Martin Quinson <martin.quinson@tuxfamily.org>
- Re: non-DD contributors and the debian keyring
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>
- Re: non-DD contributors and the debian keyring
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: non-DD contributors and the debian keyring
  - From: Martin Michlmayr <tbm@cyrius.com>
- Re: non-DD contributors and the debian keyring
  - From: Martin Quinson <martin.quinson@tuxfamily.org>
- Re: non-DD contributors and the debian keyring
  - From: Steve Langasek <vorlon@netexpress.net>

Prev by Date: Re: Bits from the RM
Next by Date: Re: Bits from the RM
Previous by thread: Re: non-DD contributors and the debian keyring
Next by thread: Re: non-DD contributors and the debian keyring
Index(es):
- Date
- Thread