On Wed, Aug 20, 2003 at 09:40:02AM -0400, Stephen Frost wrote: > * Martin Quinson ([EMAIL PROTECTED]) wrote: > > $ LC_ALL=C gpg --keyserver keyring.debian.org --recv-keys E145F334 > > gpg: no valid OpenPGP data found. > > gpg: Total number processed: 0 > > > > This is the ID of my key, available from www.keyserver.net and signed by 2 > > DD. Did I mess something up ? > > keyring.debian.org has only DDs in it. I think people were suggesting > using the public keyservers. keyring.debian.org isn't a part of the > public key servers.
That's the part of the system I was criticizing :) > > Shouldn't Debian make sure that work submition from non-DD contributor are > > signed, just like it does for the work submition from DD ? > > Interesting question. While it's not a bad idea I don't see it as > entirely necessary either. At least when sponsoring a package the DD > performing the sponsor must check everything regardless of if it was > sent to them signed or not. [...] Hey, guys, I begun the thread stating that I was mainly a translator and not a packager. Let's say that the test case here is that I send a translation patch to Wichert about dpkg, as I already did. I think that Wichert has no idea about french, so he cannot review the meaning of my work. If he actually understand some french, let's imagine I'm japaneese or whatever. Of course, he can (and should) review the syntax of my po file (a badly formated po file can easily let the application segfault by replacing %d by %s in a printf format). msgfmt will warn him if I made such error. Nevertheless, should he trust the meaning of my translation blindly? I mean, it could contain offending material, and even unlegal material. I guess that there will be someone to engage pursuits if dpkg subtly displayed racial crime incitation, or so. I dunno in the states, but such things can bring you in jail for a bunch of few months (if not years) in France. And it should be easy to insert illegal material for the US in displayed text, thanks to your wonderfull anti terrorist and digital right management acts... Who will get sued in such situation? I guess Debian in first place, but if I understand well, the whole identification process of the NM is exactly about giving Debian the possibility to report the charges on the guilty developper when sued, isn't it? So, I ask again, shouldn't Debian check the real identity of contributors when the maintainer is unable to check the material himself ? If it's ok so, what is the big deal of asking the DD for having a trusted key and signing the packages, anyway ? I know about the public servers, but I was wondering why Debian make things harder for the DD while it has the infrastructure to simplify their work. Thanks for your time, Mt. -- Failure is not an option. It comes bundled with software.
