[arch-dev-public] Account removal for Daenyth (was: Special Removal of an Inactive TU: Daenyth)
Daenyth resigned on 27 Aug 2013 via Mail to Lukas with the subject "Re : TU Votes -- Reminder!". Apparently this has been missed so his accounts are still marked TU in the bbs and archweb and he is still listed as maintainer for 35 packages in archweb. I've disabled his accounts on nymeria and brynhild, marked him "past TU" in the wiki and removed the TU status on flyspray. Someone else please take care of archweb and bbs.
Am 28.09.2013 11:57, schrieb Florian Pritz:
Daenyth resigned on 27 Aug 2013 via Mail to Lukas with the subject "Re : TU Votes -- Reminder!". Apparently this has been missed so his accounts are still marked TU in the bbs and archweb and he is still listed as maintainer for 35 packages in archweb.
I've disabled his accounts on nymeria and brynhild, marked him "past TU" in the wiki and removed the TU status on flyspray. Someone else please take care of archweb and bbs.
This reminds me: We need some kind of policy regarding the gpg keys of fellow packagers. As soon as there are no longer packages in the repos we should remvoe the key from the keyring package. The question that remains is if master key holders should revoke their signatures on such keys. It's not so much I wouldn't trust fellow packagers anymore, but an uused but valid signing key in the wild is just an unnecessary risk imho. Let's say a former dev get his laptop and that key stolen in a few years. I am not sure if I would blame him if he would forget to inform us. Maybe a simple rule of thumb: keys that are not or no longer included in the keyring package cannot be valid. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
On 28.09.2013 12:09, Pierre Schmitz wrote:
This reminds me: We need some kind of policy regarding the gpg keys of fellow packagers. As soon as there are no longer packages in the repos we should remvoe the key from the keyring package. [..] Maybe a simple rule of thumb: keys that are not or no longer included in the keyring package cannot be valid.
The only point of the keyring package is to reduce the amount of lookups against key servers, it's not a whitelist. Just revoke the signatures and push a new keyring with the updated key (including revocation signatures) and gpg will figure out the rest. If they ever come back we can just resign the key and gpg will accept it again (well I hope it does; never tested that). Granted, this creates a fair amount of signatures on the keys in question, but that's how gpg works.
Am 28.09.2013 11:57, schrieb Florian Pritz:
Daenyth resigned on 27 Aug 2013 via Mail to Lukas with the subject "Re : TU Votes -- Reminder!". Apparently this has been missed so his accounts are still marked TU in the bbs and archweb and he is still listed as maintainer for 35 packages in archweb.
I've disabled his accounts on nymeria and brynhild, marked him "past TU" in the wiki and removed the TU status on flyspray. Someone else please take care of archweb and bbs.
Can we somehow get a list of people not listed as TUs/Devs in Archweb that still have valid PGP keys? I think that besides Daenyth, Dieter also still has a valid key. We might want to revoke all those signatures.
participants (3)
-
Florian Pritz
-
Pierre Schmitz
-
Thomas Bächler