On 11/6/18 7:32 AM, Bartłomiej Piotrowski via arch-dev-public wrote:
Here again I would argue that they are devs that have [core] pushing rights, as well as devs that are Master Key holders. So even if you don’t want to write this black on white, this actually means a small group of people have the real control over the distro (technically, Master Key holders could revoke everyone else).
You can argue, but it's simply not true. Any developer has access to [core]. Master key holders aren't considered any better than other developers besides having more duties and no one has ever refused to sign new TU; for every master key holder, there is someone else holding revocation certificate. There is no hierarchy.
I guess in addition it should be pointed out there's no technical measure stopping *any* Dev from pushing a new keyring package that deletes/revokes/disables all master keys and current packaging keys and replaces the entire keyring with their own key alone. It's just yet another package... -- Eli Schwartz Bug Wrangler and Trusted User