> Or even better: what about a central debian maintainer key repository? This repository could then be installed as a .deb package. And ONLY _this_very_package_ would be signed with the debian über-key. And for every other package to be installed, the public key would have to be in this the locally installed key db. For being added to this db one would need the approval of say, two already trusted debian maintainers. One could even make a webinterface or something to automate this process. As I see this ideas are not really original: There seem to be three packages for this functionality: debian-keyring debsig-verify debsigs Do they deliver this functionality? Marcel ----- PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
Attachment:
pgpKaKrfVEf3E.pgp
Description: PGP signature