Re: question for all candidates
[Moving this to -devel, please reply only there, this is not really
voting related stuff. We are talking about things to improve keyring
maintenance, for those not reading -vote.]
Anthony Towns <firstname.lastname@example.org> writes:
> So first one was the spam problem, keyring-maint is a well-known address,
> and mails that are meant to go to it could be in all sorts of weird
> formats. There's already magic debian.org handling that'll drop stuff
> without a pseudo-header in the mail (for submit@bugs), or without
> a specific tag in the subject which should mostly solve the problem,
> which mostly requires working out some tags/headers and making sure all
> the appropriate documentation is updated.
Could these mails be required to have a valid GPG signature (either
for a key in a public keyserver or a DD key)? This would eliminate the
spam problem (almost) entirely.
> The third thing was to develop some new scripts to manage
> debian-keyring.gpg in a more componentised manner -- rather than
> one huge blob, have many small files that are independently auditable
> (this is the key for "email@example.com", it's authorised because it came
> via firstname.lastname@example.org after blah lost their key in a tragic accident
> involving a watermelon, it's signed by foo and bar...). The scripts
> to manage all this have to be simple, obviously correct and secure,
> and also fast enough to be usable.
I think I could at least try to tackle this, as this doesn't need
anything special. If somebody else is already working on this, I would
appreciate a heads-up :)
> Apparently there's been some mention of this on -private; I'm not
> sure when.
I recall some discussion, yes.
* Sufficiently advanced magic is indistinguishable from technology (T.P) *
* PGP public key available @ http://www.iki.fi/killer *