Bug#41794: dpkg-buildpackage PGP key lookup

[Brian White <bcwhite@pobox.com>]

> > In the case of a key lookup in a ring, I can't see any reason why the
> > email address alone would not be enough to make it unique.  It's not
> > a security thing since the security comes from having access to and
> > the passphrase for the private key, so it's simply a matter of convienence.
> > It would be convienent if dpkg wasn't so picky on this matter.
> 
> Appologies, it's been tedious work going through all the dpkg bugs, and I seem
> to have overlooked a few details in going through these. There is a higher issue
> at stake here though. The real problem is that having a maintainer address
> that is not referenced in the key ring is, IMO,  bad. So by allowing a feature that
> permits signing a maintainer address that isn't in the keyring, we are breaking
> some fundamental neccesities for package signing.

It isn't a person's name that is the important entry in the keyring; it's
the digital signature that uniquely identifies someone.  You could, in
theory, have multiple package maintainers at the same email address.  The
fact that a full name is listed as part of the address is merely a
convienence for us humans.  I think any lookup that would produce a
unique private key should be sufficient.

                                          Brian
                                  ( bcwhite@pobox.com )

-------------------------------------------------------------------------------
      Relationships go through seasons.  Winter often comes before Spring.