Web-of-Trust of ubuntu-dev gpg keys (was: Motu application for Emanuele Gentili (emgent))
michael at vorlon.ping.de
Wed Jul 9 13:54:45 BST 2008
[ moving that part of the discussion to ubuntu-motu ]
On 2008-07-09 14:16:33 +0200, Stephan Hermann wrote:
> And with the Ubuntu Environment in general, giving out upload rights to
> known contributors, we are showing to us and them that we trust those
> people. I wonder if we still have this "you need at least one ubuntu
> maintainer, debian maintainer who signed your gpg key" rule.
Was there ever such a rule?
I've done some graphs on the web-of-trust for the gpg keys of MOTU and
core-dev in February 2008:
It only shows the connections of gpg keys from core-dev, MOTU and
combined. I didn't include connections to DD keys. I also need to update
But as one can see there is only a small set of connected gpg keys from
MOTU and a large set not connected at all. core-dev looks a little bit
better. But this was all in Feb 2008 and I really need to update those
The question is how to improve the web-of-trust of MOTU?
As much as I'd like to see that new MOTUs have their gpg key signed by a
MOTU, core-dev, or even a DD, I fear that it would be a to high bar. In
the current situation I'd also be happy with a short trust path to a
ubuntu-dev or DD key.
Unfortunately I see currently only a recommendation for (new and old)
MOTUs to get there gpg keys signed when there is a opportunity to
improve our web-of-trust as practiable.
1: This graphs were made with sig2dot and dot. There are also the
keyrings I used. If somebody is interested to create updated graphs
feel free to use these keyrings as a starting point.
More information about the Ubuntu-motu