Jonathan McDowell writes ("Re: Bug#1102125: debian-keyring: Please add
tag2upload oracle service key"):
> So your argument is that this is a key others will want easy access to
> for validation of signatures produced by tag2upload?
Yes.
> I still think it's
> closer to something like an archive key (managed by a team, doesn't need
> the web of trust or replacement pieces that keyring-maint get involved
> with), but equally we already have other role keys present.
The key definitely wants to be published officially by Debian.
I think debian-keyring.deb is the way we do that for GPG keys that we
esxpect humans and computers to use.
Its replacement should be managed the same way as some other keys used
by systems - I think much like the archive key which you mention.
I'm not sure precisely what you mean about the web of trust. The key
does bear my signature. But it won't be signing other keys, and if it
does that's an anomaly and ought not to be trusted.
> Is there a good reason why it can't go in the role-keys keyring and
> instead needs it's own keyring?
There is much software which should to treat this key the same way
that it treats keys in debian-keyring.gpg. [1]
For example, dscverify. Assuming this change to the keyring
package is accepted, I will be sending a patch to dscverify to look in
this keyring when it's verifying signatures on source packages.
If we put this key in debian-role-keys.gpg, things get more
complicated. Systems (like dscverify) which should trust the
tag2upload key, should *not* trust every key in role-keys the same
way. For example, if the CD signing key, or DAM's key, were to sign a
source package, that would be an anomaly, and ought not to be trusted.
So then we'd have to somehow teach all of those systems to trust only
*this particular* key out of debian-role-keys.gpg. That would involve
either hardcoding the key's name in all that software, using the key
name as the security-load-bearing identifier, or separately publishing
the fingerprint of the tag2upload key (presumably also in
debian-keyring.deb) and teaching all the software to check it.
Those options seem considerably worse than a keyring specifically for
this key.
Ian.
[1] Ultimately, modulo some wrinkles, everything that verifies
signatures on source packages (or normalised archive/ git tags).
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
