[arch-dev-public] TU application process

Eli Schwartz eschwartz at archlinux.org
Tue Nov 6 14:28:23 UTC 2018

On 11/6/18 7:32 AM, Bartłomiej Piotrowski via arch-dev-public wrote:
>> Here again I would argue that they are devs that have [core] pushing
>> rights, as well as devs that are Master Key holders. So even if you
>> don’t want to write this black on white, this actually means a small
>> group of people have the real control over the distro (technically,
>> Master Key holders could revoke everyone else).
> You can argue, but it's simply not true. Any developer has access to
> [core]. Master key holders aren't considered any better than other
> developers besides having more duties and no one has ever refused to
> sign new TU; for every master key holder, there is someone else holding
> revocation certificate. There is no hierarchy.

I guess in addition it should be pointed out there's no technical
measure stopping *any* Dev from pushing a new keyring package that
deletes/revokes/disables all master keys and current packaging keys and
replaces the entire keyring with their own key alone. It's just yet
another package...

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20181106/1151c2ff/attachment.asc>

More information about the arch-dev-public mailing list