Re: State of the debian keyring
On Sun, Feb 23, 2014 at 12:49:37PM -0300, Henrique de Moraes Holschuh wrote:
> On Sun, 23 Feb 2014, Jonathan McDowell wrote:
> > * Requests need to include the full fingerprint of both the old and the
> > new key. Not just the key IDs. Not just the new key. We want to be
> > absolutely certain of what you're requesting replaced. I quite like
> > seeing the actual "gpg --fingerprint" output for both keys because it
> > tends to be quite easy to visually verify.
> >
> > * The new key must be signed by the old key that is being replaced.
> >
> > * The new key must be signed by 2 other keys that are present in the
> > Debian keyring.
> >
> > * The request must be signed by the old key. Signing the request with
> > the new key alone is not helpful - requests must always be signed by
> > a key that is currently in the active keyring. Signing it with both
> > is fine, but not required.
> >
> > * You should specify *why* you want to replace your key. Knowing that
> > it's because you're moving to a stronger key rather than because your
> > old key is compromised / unavailable / on fire helps us prioritise
> > things.
>
> This is not what is written here:
> http://keyring.debian.org/replacing_keys.html
>
> Please update that page. In particular, it *requires* a third party to
> request the key swap on your behalf.
Paragraph 2 on that page states:
| If key X is still valid then Alice may sign the request using that key,
| but must ensure key Y is signed by key X as well as at least 2 other
| active Debian developers whose keys are in the keyring.
What would you suggest as alternative wording which is clearer?
J.
--
Replace repetitive expressions by calls to a common function.
This .sig brought to you by the letter M and the number 35
Product of the Republic of HuggieTag
Reply to: