Re: Official Debian digital 'branding' of debs

[Nicolás Lichtmaier <nick@debian.org>]

>  Nicolás>  But there IS a single point of failure. All solutions you
>  Nicolás> can image will have that. If you have developers sign
>  Nicolás> packages with their own keys, you'll need a mean to
>  Nicolás> `authorize' developers, in the form of a Debian signature to
>  Nicolás> the developers' signature.
>         Not true. The presence of the developers keys in the
>  debian-keyring package should be enough, as long as you have a secure
>  keyring.

 Uh? What's that? Since when one should be careful about which keys allows
in his key ring? The security check you propose requires a specific
knowledge that users won't probably have.

 Besides I'd like to have a test that could be carried out automatically...

 We should have a main key, and design fast channels to announce if the key
is compromised... Online packaging tools could check for this key status
also....

> Having a detatched signature on the keyring made by the
>  master key is your security.

 I didn't unserstand this sentence...