pqm at canonical.com key needs a new email, and some signatures
Robert Collins
robertc at robertcollins.net
Tue May 9 10:40:17 BST 2006
On Tue, 2006-05-09 at 18:17 +1000, Martin Pool wrote:
> On 8 May 2006, John A Meinel <john at arbash-meinel.com> wrote:
> > I just updated my 'verify-sigs' command so that it checks the output of
> > 'gpg --verify' to make sure that the revision was signed by the
> > committer, and not just some random signature.
> >
> > In the process, I found out that the pqm, which is committing as
> > "pqm at pqm.ubuntu.com" is signing using a key that only has the email
> > address "pqm at canonical.com".
> > So it would be nice if we could update pqm's key with whatever email
> > addresses it uses.
> >
> > Also, pqm at canonical.com is not in my web of trust. What is the proper
> > etiquette for signing keys that belong to an automated system, rather
> > than a human being. (It isn't really possible to check 2 forms of ID :)
> >
> > I'm willing to sign its key (especially if we add pqm at pqm.ubuntu.com),
> > but I don't want to mess up the web of trust because I'm signing an
> > automaton. So I figured to wait until I heard from someone like jblack
> > to see what the correct etiquette is.
>
> I think what you want is something like
>
> gpg --edit-key pqm at pqm.ubuntu.com
> > trust
> 2 (I do *NOT* trust)
> > sign
>
> meaning that you believe this is pqm's key, but you do not trust it to
> sign other keys.
Hell no.
Standard protocol here is to lsign it:
gpg --edit-key pqm
lsign
save
Rob
--
GPG key available at: <http://www.robertcollins.net/keys.txt>.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060509/e5dd9346/attachment.pgp
More information about the bazaar
mailing list