[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt 0.6 and how it does *not* solve the problem

martin f krafft wrote:
> also sprach Geoff <geoff.crompton@bjhcontrols.com.au> [2004.08.23.0134 +0200]:

Is it possible on a gpg key server to mark a key as invalid, with
out access to the private key?

Yes, by removing it from the keyring.

The question is how one would continuously QA the developers... and
how one would make sure that they treat the keys securely, which is
a whole different thing.

I don't see how you can automatically determine if they have kept their key secure. However from some sort of QA process (an online test, or something else) you can determine:

* Are they still interested/involved in Debian
* Do they know about recent significant developments in Debian for DD's
    (I'm thinking about new tools, changes to policy, legal issues that
      might have arisen)
* Do they have the knowledge to keep their key secure
* Do they know what to do if their key is broken

Do you consider that determining these points is a fair approximation of whether or not a developer is likely to keep their key secure?


Reply to: