Re: non-DD contributors and the debian keyring
Martin Quinson wrote:
> I just wondered if it would be possible for non-developper contributors to
> Debian to get their GPG key in the Debian keyserver.
No. The contents Debian keyserver <keyring.debian.org> reflect the
list of registered Debian developers who also have an account on about
all Debian machines. It is also used to verify uploads against and
ensure that only packages that are properly signed by a Debian
developer are accepted into the archive.
Adding non-developers to this keyring would weaken our security model.
> This would help people like translators which can hardly become DD (since
> they do not have the required packaging skills). One of the most fundamental
> point is that currently, DD is very very strict about who can upload to the
> source and the packages, but when I submit a translation to someone who do
> not speak french, he have to trust me.
Adding a faulty or offending translation is much less harmful than
uploading a malicious package.
> This trust relationship would be eased if I could sign my mails and
> contribution with an easily available key. I mean, I do have a key signed by
> some DD, but since my key is not easily available, that's not easy for the
> DD I collaborate with.
As already mentioned there are public keyservers that should contain
all keys from Debian developers anyway. Fetching keys from there
should be as easy as from the Debian keyserver.
> The main issue is that I guess we would need a new keyring for that (along
> with the ones listed in /usr/share/doc/debian-keyring/README.gz). I guess it
> could be named contributor-keyring.
If you really want to go that path, check the mentors.debian.net
sub-project. I guess they have to maintain a second keyring anyway
for the uploads.
Regards,
Joey
--
No question is too silly to ask, but, of course, some are too silly
to answer. -- Perl book
Please always Cc to me when replying to me on the lists.
Reply to: