Re: State of the debian keyring
On 2014-02-23 17:22, Jonathan McDowell wrote:
On Sun, Feb 23, 2014 at 12:49:37PM -0300, Henrique de Moraes Holschuh
This is not what is written here:
Please update that page. In particular, it *requires* a third party
request the key swap on your behalf.
Paragraph 2 on that page states:
| If key X is still valid then Alice may sign the request using that
| but must ensure key Y is signed by key X as well as at least 2 other
| active Debian developers whose keys are in the keyring.
What would you suggest as alternative wording which is clearer?
"2. Alice must sign a message with key X, requesting its replacement
with key Y. That statement should contain key fingerprints and Debian
login details. Key Y must be signed by key X as well as at least 2 other
active Debian developers whose keys are in the keyring.
If key X is no longer trustworthy (for example, revoked because it was
lost or compromised) she must get a Debian developer (ideally not Bob)
to make the request on her behalf; this developer must also have
performed the appropriate checks to enable them to be comfortable
signing key Y."
The last sentence still isn't clear to me (or rather, its starting point
in the original document is not); should the non-Bob developer also sign
the key Y? Is it acceptable for this developer to be the second
signatory on the new key, or does a third DD need to be involved?
Jonathan Wiltshire firstname.lastname@example.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits