Re: question for all candidates

[Kalle Kivimaa <killer@debian.org>]

[Moving this to -devel, please reply only there, this is not really
voting related stuff. We are talking about things to improve keyring
maintenance, for those not reading -vote.]

Anthony Towns <aj@azure.humbug.org.au> writes:
> So first one was the spam problem, keyring-maint is a well-known address,
> and mails that are meant to go to it could be in all sorts of weird
> formats. There's already magic debian.org handling that'll drop stuff
> without a pseudo-header in the mail (for submit@bugs), or without
> a specific tag in the subject which should mostly solve the problem,
> which mostly requires working out some tags/headers and making sure all
> the appropriate documentation is updated.

Could these mails be required to have a valid GPG signature (either
for a key in a public keyserver or a DD key)? This would eliminate the
spam problem (almost) entirely.

> The third thing was to develop some new scripts to manage
> debian-keyring.gpg in a more componentised manner -- rather than
> one huge blob, have many small files that are independently auditable
> (this is the key for "blah@debian.org", it's authorised because it came
> via grmbl@debian.org after blah lost their key in a tragic accident
> involving a watermelon, it's signed by foo and bar...). The scripts
> to manage all this have to be simple, obviously correct and secure,
> and also fast enough to be usable.

I think I could at least try to tackle this, as this doesn't need
anything special. If somebody else is already working on this, I would
appreciate a heads-up :)

> Apparently there's been some mention of this on -private; I'm not
> sure when.

I recall some discussion, yes.

-- 
* Sufficiently advanced magic is indistinguishable from technology (T.P)  *
*           PGP public key available @ http://www.iki.fi/killer           *