[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re-thinking Debian membership



On Friday 2008-10-24, Patrick Schoenfeld wrote:
> Lars Wirzenius wrote:
> > * Membership is controlled via GnuPG keyrings, primarily maintained by
> > the Debian Account Manager. The keyrings shall be maintained in a way
> > that allows any member to change them, and that is fully transparent to
> > the members in general, and that further makes it easy to undo
> > mistakes.
>
> hu? why? Don't you think that this has security implications?
> And don't you think, there is an interest to protect the security of
> the Debian project machines? Well, we think that every DD is
> trustworthy, because we rely on GPG signatures between already trusted
> people. But after all power you give to people is an appeal to exploit
> it. So its IMHO not really a good idea to give power to people,
> who _do not need_ the power.

AIUI he's just advocating having the equivalent of a (publicly scrutinized) 
NMU for the keyring, that is:
- have trusted gatekeeper(s) who normally does all changes
- have all changes be public (many eyes make all bugs shallow)
- also have the possibility for the equivalent of an NMU, for those cases 
where the gatekeeper is on vacation/to busy/otherwise unavailable/goes 
rogue.
-- 
Cheers, Cobaco (aka Bart Cornelis)

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: