[arch-dev-public] Account removal for Daenyth (was: Special Removal of an Inactive TU: Daenyth)

Pierre Schmitz pierre at archlinux.de
Sat Sep 28 06:09:12 EDT 2013

Am 28.09.2013 11:57, schrieb Florian Pritz:
> Daenyth resigned on 27 Aug 2013 via Mail to Lukas with the subject "Re :
> TU Votes -- Reminder!". Apparently this has been missed so his accounts
> are still marked TU in the bbs and archweb and he is still listed as
> maintainer for 35 packages in archweb.
> I've disabled his accounts on nymeria and brynhild, marked him "past TU"
> in the wiki and removed the TU status on flyspray. Someone else please
> take care of archweb and bbs.

This reminds me: We need some kind of policy regarding the gpg keys of
fellow packagers. As soon as there are no longer packages in the repos
we should remvoe the key from the keyring package.

The question that remains is if master key holders should revoke their
signatures on such keys. It's not so much I wouldn't trust fellow
packagers anymore, but an uused but valid signing key in the wild is
just an unnecessary risk imho. Let's say a former dev get his laptop and
that key stolen in a few years. I am not sure if I would blame him if he
would forget to inform us.

Maybe a simple rule of thumb: keys that are not or no longer included in
the keyring package cannot be valid.



Pierre Schmitz, https://pierre-schmitz.com

More information about the arch-dev-public mailing list