On 28.09.2013 12:09, Pierre Schmitz wrote:
This reminds me: We need some kind of policy regarding the gpg keys of fellow packagers. As soon as there are no longer packages in the repos we should remvoe the key from the keyring package. [..] Maybe a simple rule of thumb: keys that are not or no longer included in the keyring package cannot be valid.
The only point of the keyring package is to reduce the amount of lookups against key servers, it's not a whitelist. Just revoke the signatures and push a new keyring with the updated key (including revocation signatures) and gpg will figure out the rest. If they ever come back we can just resign the key and gpg will accept it again (well I hope it does; never tested that). Granted, this creates a fair amount of signatures on the keys in question, but that's how gpg works.