Re: The Debian Mentors Project
Hi, Colin Watson wrote:
>> Perhaps an easy thing to do would just be to show whether or not a
>> pckage is signed by a key which is signed by a real debian developer.
>> Ie, use the web of trust. Then at least one can be reasonable sure that
>> the maintainer is real.
>
> Surely getting that signature is the whole point of the system in the
> first place?
Getting a signature by some DD or other is _one_ step in the NM process,
and such a signature makes sense even if you don't plan to become a DD.
I would strongly suggest that you use a write-only "incoming", and a
signature checker which moves packages to the download area if they're OK.
That checker should do the following:
- start with the standard DD keyring, + an empty "uploaders" keyring
- loop forever_and_ever:
- is the package correctly signed? no => delete
- is the key which was used in one of the keyrings? yes => accept
+ - get the key from one of the keyservers. Failure => delete
+ - is the key signed by somebody who _is_ in the DD keyring? no => delete
+ - add the key to the "uploaders" keyring
- accept the package.
Except for the steps marked '+', AFAIK the standard Debian FTP software
already does all of the above. The reason for using two keyrings is that
the DD ring can be updated more easily.
--
Matthias Urlichs | {M:U} IT Consulting @ m-u-it.de | smurf@smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
--
If two wrongs don't make a right, try three.
-- Laurence J. Peter
Reply to: