Enrico Zini dijo [Wed, Nov 15, 2017 at 05:46:52PM +0100]: > I would be ok with saying that emeritus people who have a valid gpg key > can still have email forwarding, exporting the emeritus keyring > alongside the other keyrings, and handling email forwarding > configuration changes via chan...@db.debian.org, and key replacements as > usual. > > It would exclude people who don't have a viable gpg key anymore in the > keyring, or who are not interested in maintaining one, but that is > already the case mostly anywhere in Debian, and I don't see it as a > blocker for keeping forwarding working as long as someone is emeritus > and has a key in the emeritus keyring. > > I would also be ok saying that people whose keys in the emeritus keyring > become invalid over time, because they expire or because they are not > replaced when needed, move to "removed" status after a while.
FWIW some other people have expressed procedure concerns on this
topic, I am not repeating them.
We (keyring-maint) do keep an Emeritus keyring. Given it is not really
_used_, I had not checked its real status in a long time, but now I
must really take off my hat towards Jonathan - It is quite well
maintained.
It used to be a very large directory:
https://anonscm.debian.org/cgit/keyring/keyring.git/tree/emeritus-keyring-gpg?id=f6293ba7d7c4e775b3b83185e66da41f4765721f
But since Jonathan removed short keys in it (as they are keys we will
never use again and should no longer consider trusted), it became way
smaller. Current view:
https://anonscm.debian.org/cgit/keyring/keyring.git/tree/emeritus-keyring-gpg
Anyway, we could continue to receive updates for and process the
Emeritus' keyring, if any person in it was interested in doing so... I
doubt it would be the case. We can also produce that keyring together
with our updates if any infrastructure were to use it.
I have a feeling it would mostly be over-engineering, though. Keeping
the mail alias working "forever" sounds right, but I expect that any
mail update requests would still end up in a human to implement.
signature.asc
Description: PGP signature
