Re: question for all candidates
- To: email@example.com
- Cc: debian-vote <firstname.lastname@example.org>
- Subject: Re: question for all candidates
- From: Kalle Kivimaa <email@example.com>
- Date: Thu, 09 Mar 2006 15:47:35 +0200
- Message-id: <[🔎] firstname.lastname@example.org>
- Mail-followup-to: email@example.com
- In-reply-to: <20060309132512.GB15035@azure.humbug.org.au> (Anthony Towns's message of "Thu, 9 Mar 2006 23:25:12 +1000")
- References: <E1FGiUZ-0007Ijfirstname.lastname@example.org> <20060308143433.GA29540@schuldei.org> <20060309074405.GC12498@azure.humbug.org.au> <email@example.com> <E1FGiUZ-0007Ijfirstname.lastname@example.org> <20060308143433.GA29540@schuldei.org> <20060309074405.GC12498@azure.humbug.org.au> <20060309093505.GW3141@volo.donarmstrong.com> <20060309132512.GB15035@azure.humbug.org.au>
[Moving this to -devel, please reply only there, this is not really
voting related stuff. We are talking about things to improve keyring
maintenance, for those not reading -vote.]
Anthony Towns <email@example.com> writes:
> So first one was the spam problem, keyring-maint is a well-known address,
> and mails that are meant to go to it could be in all sorts of weird
> formats. There's already magic debian.org handling that'll drop stuff
> without a pseudo-header in the mail (for submit@bugs), or without
> a specific tag in the subject which should mostly solve the problem,
> which mostly requires working out some tags/headers and making sure all
> the appropriate documentation is updated.
Could these mails be required to have a valid GPG signature (either
for a key in a public keyserver or a DD key)? This would eliminate the
spam problem (almost) entirely.
> The third thing was to develop some new scripts to manage
> debian-keyring.gpg in a more componentised manner -- rather than
> one huge blob, have many small files that are independently auditable
> (this is the key for "firstname.lastname@example.org", it's authorised because it came
> via email@example.com after blah lost their key in a tragic accident
> involving a watermelon, it's signed by foo and bar...). The scripts
> to manage all this have to be simple, obviously correct and secure,
> and also fast enough to be usable.
I think I could at least try to tackle this, as this doesn't need
anything special. If somebody else is already working on this, I would
appreciate a heads-up :)
> Apparently there's been some mention of this on -private; I'm not
> sure when.
I recall some discussion, yes.
* Sufficiently advanced magic is indistinguishable from technology (T.P) *
* PGP public key available @ http://www.iki.fi/killer *