Bug#41794: dpkg-buildpackage PGP key lookup

[Ben Collins <bcollins@debian.org>]

On Sat, Oct 23, 1999 at 11:14:56AM -0400, Brian White wrote:
> > Appologies, it's been tedious work going through all the dpkg bugs, and I seem
> > to have overlooked a few details in going through these. There is a higher issue
> > at stake here though. The real problem is that having a maintainer address
> > that is not referenced in the key ring is, IMO,  bad. So by allowing a feature that
> > permits signing a maintainer address that isn't in the keyring, we are breaking
> > some fundamental neccesities for package signing.
> 
> It isn't a person's name that is the important entry in the keyring; it's
> the digital signature that uniquely identifies someone.  You could, in
> theory, have multiple package maintainers at the same email address.  The
> fact that a full name is listed as part of the address is merely a
> convienence for us humans.  I think any lookup that would produce a
> unique private key should be sufficient.

However these signatures are then gone. Which means that the only way to
check a package's maintainer against the keyring is via the maintainer field.
With your method, it would not be possible.

Ben