Clement Lorteau wrote:
..
Your GPG key is not signed by anyone. You should try to meet someone
that can sign it, preferably a DD or someone whose key is signed by a
DD. Look at this page:
https://nm.debian.org/gpg.php
If you live in Paris or near Paris, I can sign your key.
I do live near Paris. I'll contact you in private. However, is the key
signing needed for uploading the package? I had 2 versions of another
package uploaded without having to have my key signed.
If I were intimately familiar with a package and had looked at
EVERYTHING, I would be comfortable
uploading a package signed with an unverified key. But that is a lot of
work (and I am basically
asking everyone to hold me accountable for any problems ;-).
It is much more likely that I would not duplicate someone else's
effort. When I decide to accept what
someone else has done, then it become much more important to be able to
identify that person. At
the point where I might want to say I got code from someone else, the
signed key becomes critical.
I could upload a package that was sent with an unverified key, but that
would speak volumes about
my judgement. When I sign a package (or another key for that matter), a
person can rely on my
judgement as input. I do not promote worthless input. It should be
easy to understand why a person
would hesitate to accept an unverified key since it could make their
judgement worthless.
Richard
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
