The controversial proposal I poorly made about wikis is that it would be better to have some sort of review process like Wikipedia does. Since then I think Ubuntu had tried a review system call REVU. http://natalian.org/archives/2006/05/26/no-gpg/ Quoting you (I think) "if someone steals a key from a DD, and he doesn’t notice it and revoke the key before it is misused, I fully expect him to bear the full consequences of it" I've observed DDs put keys on USB sticks. How long would it take to copy a key from a USB stick? 5 seconds? How would the DD know someone copied his or her key? I'm sure DDs have put their key on networked servers. I'm sure DDs have probably lost their key and rescued their keys in less than ideal conditions, than on another DD's (tjhukkan) machine. It was mistake perhaps to be public about what happened! I did revoke that key later after my AM requested me to do so btw. http://www.philzimmermann.com/images/responsible_behavior.png I've observed DDs leave their laptops (with their keys on them) unattended at Debconf. Should they be punished? So I still think it could be a security error to put too much into the physical GPG. Hence my silly review system suggestion. Here's another crazy suggestion. How about something like RSA secure tokens? I like to think I understand Debian's processes however if you want to take my naive comments as incompatible or dangerous to Debian's doctrine then you risk making Debian less democratic. Which is a little sad. :/ Still, I'm not afraid to apologise for my sensational blog post. I could have been a lot clearer and perhaps I should have corrected the post (what do you think?). I want to continue contributing to Debian with as little barriers as possible, so I hope I can at least apply to be a DM. Best wishes,
Attachment:
signature.asc
Description: Digital signature