PGP key-management guru needed
Hi,
I (once again) just read Jonathan Walther's Key-Signing HOWTO
(http://master.debian.org/~krooger/HOWTO-PGP-Key-Signing) and noticed
that a detail that seem quite important to me has still not been
addressed yet:
Adding all the deb developpers' keys to one's public ring is nice, but
what about debian-keyring updates, which will in some circumstances
_DROP_ some keys ?
-> Is a public keyring file able to track the source-keyring and will
obsolete keys be removed on next import ?
-> Do we have to track the changes (changelog.Debian or diff'ing "pgp
-kv" output) and remove these keys by hand ?
-> Would it be acceptable to modify pgp so that it systematically or
optionally trust /usr/share/keyrings/debian.pgp ? I guess that
allowing to specify multiple keyrings on the command line would be
enough - it would remove the need to import the constantly evolving
keyring. OTOH it means you trust any update of this file ;)
--
Yann Dirson <dirson@debian.org>
Reply to: