Also sprach "Samuele Giovanni Tonon" <samu@linuxasylum.net> am Tage Tue, 9 Jul 2002 12:31:12 +0200: > On Mon, Jul 08, 2002 at 11:31:55PM +0100, Matthew Johnson wrote: > > On Mon, 2002-07-08 at 22:15, Marcel Weber wrote: > > > > > The main problem is presumably with trust of the keys. If all the debian > > developers / package maintainers had keys signed by a central debian key > > - they you still have to trust that debian key. Events like debconf > > could certainly be used to check fingerprints and sign keys - but that > > still leaves a lot of ppl without an easy way to check. > > Is it possible to make a statistic on how many DD are in this situation ? > What about on identify this "weak nodes" and then try to enforce them ? > > cya > Samuele As far as I know, to become a maintainer it is necessary to let ones pgp key be signed by another debian maintainer. So what about a central Debian key, that signs the keys of some reliable maintainers, which on the counterpart could sign the others keys? Or even better: what about a central debian maintainer key repository? This repository could then be installed as a .deb package. And ONLY _this_very_package_ would be signed with the debian über-key. And for every other package to be installed, the public key would have to be in this the locally installed key db. For being added to this db one would need the approval of say, two already trusted debian maintainers. One could even make a webinterface or something to automate this process. Just my ideas Marcel ----- PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
Attachment:
pgppXF7b_xUzh.pgp
Description: PGP signature