From defcceae899729037d8088206a03c43c187b6705 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 13:44:35 -0400 Subject: good idea! --- ...ent_1_e383699dbed1890a16e3dfa80bd60905._comment | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment (limited to 'doc') diff --git a/doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment b/doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment new file mode 100644 index 0000000..3270c33 --- /dev/null +++ b/doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment @@ -0,0 +1,28 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2017-05-20T17:33:53Z" + content=""" +Very good idea! + +I suppose all it needs is a list of keyrings to check, and if it finds a +key there, it can say "John Doe is a Debian developer" rather than the current +"John Doe is probably a real person". + +This could be extended beyond distributions; individual software programs +could also ship keyrings with their developer(s). + +So, how about rather than a hardcoded distro-specific list of keyrings, +make debug-me look in /usr/share/debug-me/keyring/$project.gpg +There could be an accompnying file $project.desc that describes the +relationship to the project that being in their keyring entails. Eg, +"Relationship: Debian developer" in debian.desc. + +In the debian package of debug-me, you could then symlink +/usr/share/keyrings/debian-keyring.gpg to the debug-me keyring directory. + +The only risk is that some shady software project ships a keyring with a +.desc file that contains "Debian developer", so debug-me will claim a bogus +key is the key of a debian developer. But if a debug-me user is using such +shady software, it's probably rooted their computer already.. +"""]] -- cgit v1.2.3