Bug#41794: dpkg-buildpackage PGP key lookup
On Sat, Oct 23, 1999 at 11:14:56AM -0400, Brian White wrote:
> > Appologies, it's been tedious work going through all the dpkg bugs, and I seem
> > to have overlooked a few details in going through these. There is a higher issue
> > at stake here though. The real problem is that having a maintainer address
> > that is not referenced in the key ring is, IMO, bad. So by allowing a feature that
> > permits signing a maintainer address that isn't in the keyring, we are breaking
> > some fundamental neccesities for package signing.
> It isn't a person's name that is the important entry in the keyring; it's
> the digital signature that uniquely identifies someone. You could, in
> theory, have multiple package maintainers at the same email address. The
> fact that a full name is listed as part of the address is merely a
> convienence for us humans. I think any lookup that would produce a
> unique private key should be sufficient.
However these signatures are then gone. Which means that the only way to
check a package's maintainer against the keyring is via the maintainer field.
With your method, it would not be possible.