[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question for all candidates

On Fri, Mar 10, 2006 at 02:14:01AM +1000, Anthony Towns wrote:
> On Thu, Mar 09, 2006 at 03:47:35PM +0200, Kalle Kivimaa wrote:
> > Could these mails be required to have a valid GPG signature (either
> > for a key in a public keyserver or a DD key)? This would eliminate the
> > spam problem (almost) entirely.

> keyring-maint is the address for problems with your key -- not being
> able to mail it when you have problems with your key seems a bad idea. :)

AFAICT, the only reasons a developer should need to contact the
keyring-maint role address are:

1) needing to have a key removed from the ring
2) needing to get a replacement key accepted

If the developer is contacting keyring-maint due to 1), I guess it means the
key is no longer in their control, or else they could just publish their own
revocation certificate and upload it to keyring.debian.org.  However, you're
still left with a question of verifying the authenticity of the request;
perhaps having developers proxy such requests through some other developer
for signing isn't a bad idea?  Well, or maybe it is...

2) seems pretty easy to handle anyway, since getting a replacement key into
the keyring does require new signatures from other DDs, so making "signed
mail to keyring-maint" part of the process doesn't seem too onerous.

Though as an additional practical consideration, doing gpg checks against a
keyring is probably heavier than all other spam filtering rules combined...

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: