Ng Oon-Ee wrote:
Under which circunstances would you envision the need to trust an old, compromised signature?
New install, dev for a coupl of [extra] packages has already left the team. Having to recompile everytime a dev leaves the team is additional (unnecessary) hassle IMO, especially for bigger packages (openoffice and sons, I'm looking at you).
If the user is trustable, I wouldn't remove the user key until after he doesn't maintain any package any more (even though he can have its access revoked). If you need for some reason to keep them as trusted while revoking the key, you could sign the other dev package, thus taking responsibility on the integrity of that package (some users may disagree and reject your packages because they don't accept your policy). __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com