Gunnar Wolf writes ("Re: Call for volunteers and GR draft: tag2upload key
installation [and 1 more messages]"):
> We see ourselves as an operational team, but not as a decision-making team,
> except when it comes to determining i.e. a given category of keys is no
> longer trustable (as we did back in 2014). Thus, we will be happy to add
> what would amount to a role key, or a fourth active keyring, following the
> instructions given by the relevant delegates ...
Right.
Management of this key is currently shared between DSA and the
tag2upload team. I was the person who instructed the hardware token
to generate it, so the key bears my signature. (See Sean's reply.)
In any case it doesn't seem to be controversial that this key ought to
be properly published in the debian-keyring package.
I think it's clear that it ought to be its own keyring file.
Automated systems need to verify with it, so if it were in with the
other role keys there would have to be some kind of separate
name-based or fingerprint-based access control as well, which would be
needless complication and opportunity for error.
As it happens we (the tag2upload team) have a need for this public key
on another system - the dgit-repos git server. Right now we've done
that ad-hoc, but I think doing it via debian-keyring is much better.
I think Sean will agree.
I think debian-keyring would probably also be a convenient way for dak
to get this public key, but of course that is up to the ftpmasters.
We will prepare an MR, with more details about the key's provenance
etc. in the MR discussion comment. If ftpmaster have an opinion about
this aspect, I think it would be OK to ask them to make it known
there.
Thanks,
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
