Web-of-Trust of ubuntu-dev gpg keys (was: Motu application for Emanuele Gentili (emgent))

Michael Bienia michael at vorlon.ping.de
Wed Jul 9 13:54:45 BST 2008

[ moving that part of the discussion to ubuntu-motu ]

On 2008-07-09 14:16:33 +0200, Stephan Hermann wrote:
> And with the Ubuntu Environment in general, giving out upload rights to
> known contributors, we are showing to us and them that we trust those
> people. I wonder if we still have this "you need at least one ubuntu
> maintainer, debian maintainer who signed your gpg key" rule. 

Was there ever such a rule?

I've done some graphs on the web-of-trust for the gpg keys of MOTU and
core-dev in February 2008:
http://members.ping.de/~mb/ubuntu-keystats/ [1]
It only shows the connections of gpg keys from core-dev, MOTU and
combined. I didn't include connections to DD keys. I also need to update
those graphs.

But as one can see there is only a small set of connected gpg keys from
MOTU and a large set not connected at all. core-dev looks a little bit
better. But this was all in Feb 2008 and I really need to update those

The question is how to improve the web-of-trust of MOTU?

As much as I'd like to see that new MOTUs have their gpg key signed by a
MOTU, core-dev, or even a DD, I fear that it would be a to high bar. In
the current situation I'd also be happy with a short trust path to a
ubuntu-dev or DD key.

Unfortunately I see currently only a recommendation for (new and old)
MOTUs to get there gpg keys signed when there is a opportunity to
improve our web-of-trust as practiable.


1: This graphs were made with sig2dot and dot. There are also the
   keyrings I used. If somebody is interested to create updated graphs
   feel free to use these keyrings as a starting point.

More information about the Ubuntu-motu mailing list