On Fri, Mar 10, 2006 at 02:14:01AM +1000, Anthony Towns wrote: > On Thu, Mar 09, 2006 at 03:47:35PM +0200, Kalle Kivimaa wrote: > > Could these mails be required to have a valid GPG signature (either > > for a key in a public keyserver or a DD key)? This would eliminate the > > spam problem (almost) entirely. > keyring-maint is the address for problems with your key -- not being > able to mail it when you have problems with your key seems a bad idea. :) AFAICT, the only reasons a developer should need to contact the keyring-maint role address are: 1) needing to have a key removed from the ring 2) needing to get a replacement key accepted If the developer is contacting keyring-maint due to 1), I guess it means the key is no longer in their control, or else they could just publish their own revocation certificate and upload it to keyring.debian.org. However, you're still left with a question of verifying the authenticity of the request; perhaps having developers proxy such requests through some other developer for signing isn't a bad idea? Well, or maybe it is... 2) seems pretty easy to handle anyway, since getting a replacement key into the keyring does require new signatures from other DDs, so making "signed mail to keyring-maint" part of the process doesn't seem too onerous. Though as an additional practical consideration, doing gpg checks against a keyring is probably heavier than all other spam filtering rules combined... -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature