On Wed, 18 Aug 2004 23:10:56 +0200, Thomas Viehmann wrote: > Brian Nelson wrote: >> [quoted text muted] > Yeah. Also, I'd think that trusting upstream is at least as delicate as > trusting maintainers. (As for the ID check: I thought that getting a DD > signature was indeed supposed to happen before sponsorship for precisely > this reason and just wasn't properly enforced.) Working with people > probably is the best way to build trust. > Where is that stated? I'd been sponsored and maintained packages in Debian for 2 years before getting my key signed (and consequently starting the NM process). The most difficult part(s) of the process have been finding someone local to sign my key, and waiting for DAM approval. :) If the person being sponsored must have their key signed, that's a huge hurdle towards maintaining packages. Also, how would you even check that this is the case? Their key isn't in the keyring, and the packages are signed by the person doing the sponsoring. I'd imagine it would be up to the discretion of the person doing the sponsoring, based on how much they trust the person being sponsored. -- Andres Salomon <dilinger@voxel.net>
Attachment:
signature.asc
Description: This is a digitally signed message part