Hello, On Sat 05 Apr 2025 at 11:37am +01, Ian Jackson wrote:
> Gunnar Wolf writes ("Re: Call for volunteers and GR draft: tag2upload key
> installation [and 1 more messages]"):
>> We see ourselves as an operational team, but not as a decision-making team,
>> except when it comes to determining i.e. a given category of keys is no
>> longer trustable (as we did back in 2014). Thus, we will be happy to add
>> what would amount to a role key, or a fourth active keyring, following the
>> instructions given by the relevant delegates ...
>
> Right.
>
> Management of this key is currently shared between DSA and the
> tag2upload team. I was the person who instructed the hardware token
> to generate it, so the key bears my signature. (See Sean's reply.)
>
> In any case it doesn't seem to be controversial that this key ought to
> be properly published in the debian-keyring package.
>
> I think it's clear that it ought to be its own keyring file.
> Automated systems need to verify with it, so if it were in with the
> other role keys there would have to be some kind of separate
> name-based or fingerprint-based access control as well, which would be
> needless complication and opportunity for error.
>
> As it happens we (the tag2upload team) have a need for this public key
> on another system - the dgit-repos git server. Right now we've done
> that ad-hoc, but I think doing it via debian-keyring is much better.
> I think Sean will agree.
>
> I think debian-keyring would probably also be a convenient way for dak
> to get this public key, but of course that is up to the ftpmasters.
>
> We will prepare an MR, with more details about the key's provenance
> etc. in the MR discussion comment. If ftpmaster have an opinion about
> this aspect, I think it would be OK to ask them to make it known
> there.
Yes, we wanted to publish it this way regardless, and ideally we will be
able to do expiry extensions via keyring.debian.org.
--
Sean Whitton
signature.asc
Description: PGP signature
