[arch-dev-public] Account removal for Daenyth
Florian Pritz
bluewind at xinu.at
Sat Sep 28 07:22:17 EDT 2013
On 28.09.2013 12:09, Pierre Schmitz wrote:
> This reminds me: We need some kind of policy regarding the gpg keys of
> fellow packagers. As soon as there are no longer packages in the repos
> we should remvoe the key from the keyring package.
> [..]
> Maybe a simple rule of thumb: keys that are not or no longer included in
> the keyring package cannot be valid.
The only point of the keyring package is to reduce the amount of lookups
against key servers, it's not a whitelist.
Just revoke the signatures and push a new keyring with the updated key
(including revocation signatures) and gpg will figure out the rest. If
they ever come back we can just resign the key and gpg will accept it
again (well I hope it does; never tested that).
Granted, this creates a fair amount of signatures on the keys in
question, but that's how gpg works.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20130928/65754256/attachment-0001.asc>
More information about the arch-dev-public
mailing list