Quoting Federico Ceratto (2020-08-17 20:17:49) > On Thu, Aug 6, 2020 at 5:40 PM Roberto C. Sánchez <roberto@debian.org> wrote: > > Perhaps instead of requiring "a valid DD signature" as the basis for > > "important" project actions (e.g., uploading to the archive), we should > > consider rather "degree of trust associated with a collection of one or > > more signatures". > > Forking the conversation a bit, I'm wondering what is the real threat > that we want to mitigate. > I guess the main one is: "a malicious DD uploads a package containing > a backdoor" Also: "a malicious DD votes twice" - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature