Re: apt 0.6 and how it does *not* solve the problem
martin f krafft wrote:
> also sprach Geoff <firstname.lastname@example.org>
Is it possible on a gpg key server to mark a key as invalid, with
out access to the private key?
Yes, by removing it from the keyring.
The question is how one would continuously QA the developers... and
how one would make sure that they treat the keys securely, which is
a whole different thing.
I don't see how you can automatically determine if they have kept their
key secure. However from some sort of QA process (an online test, or
something else) you can determine:
* Are they still interested/involved in Debian
* Do they know about recent significant developments in Debian for DD's
(I'm thinking about new tools, changes to policy, legal issues that
might have arisen)
* Do they have the knowledge to keep their key secure
* Do they know what to do if their key is broken
Do you consider that determining these points is a fair approximation of
whether or not a developer is likely to keep their key secure?