[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developer Status

Steve Langasek wrote:

> On Thu, Oct 23, 2008 at 01:43:31PM -0500, Raphael Geissert wrote:
>> Luk Claes wrote:
>> > Raphael Geissert wrote:
>> >> What about getting every maintainer's key in a keyring and LDAP? it would
>> >> finally allow for a better management system to take place
>> > The problem is that not all maintainers have keys in the first place.
>> Which in theory is not good. Even packages that later get uploaded by a DD
>> should be signed.
> That shouldn't be relevant if the sponsor is doing their job of reviewing
> the package before upload.

IMHO it *is* relevant, as it helps enforce/teach the reasons why packages are
signed when uploaded to the archive. I've even seen some people continuously
creating new keys because they either forget the key password, or they
accidentally deleted the secret key, or because of similar reasons.

IMHO knowing they "why" of signed files/packages is one of the most important
points, together with DFSG, SC, policy, and such.

PS. I've seen people not knowing that even uploads by buildds are signed.
Although it is not something unforgivable it clearly demonstrates that there
are some basic points not being covered properly; specially in NM.

Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Reply to: