Ubuntu needs a new development model

Michael Bienia michael at bienia.de
Fri May 7 10:44:05 UTC 2010

On 2010-05-06 21:42:40 +0100, Dmitrijs Ledkovs wrote:
> Debian is not using public gpg servers. Instead they maintain their
> own keyring shipped in the debian-keyring package. You cannot add
> signatures to that from non-dd's. And DD's are only keeping real
> signatures on their keys from key signing parties.

That's not fully correct. The keys from DDs are also on the public keys
servers, but a key has to be in the seperate managed debian-keyring to
have upload rights to Debian. The membership in this keyring is
important, not the signatures on the key.
Of course it is possible to sign a key of a DD without being a DD
oneself. I've signatures from DDs on my key and also have signed their
keys (without being a DD).

And as the keys are on public keyservers, you have no control on the
signatures on your key. But you can tell gpg how much you trust (or not
trust) a key. And only trust other keys if they have signatures from
trusted keys.


More information about the Ubuntu-devel-discuss mailing list