[[!comment format=mdwn
 username="joey"
 subject="""comment 1"""
 date="2017-05-20T17:33:53Z"
 content="""
Very good idea!

I suppose all it needs is a list of keyrings to check, and if it finds a
key there, it can say "John Doe is a Debian developer" rather than the current
"John Doe is probably a real person".

This could be extended beyond distributions; individual software programs
could also ship keyrings with their developer(s).

So, how about rather than a hardcoded distro-specific list of keyrings,
make debug-me look in /usr/share/debug-me/keyring/$project.gpg
There could be an accompnying file $project.desc that describes the
relationship to the project that being in their keyring entails. Eg,
"Relationship: Debian developer" in debian.desc.

In the debian package of debug-me, you could then symlink
/usr/share/keyrings/debian-keyring.gpg to the debug-me keyring directory.

The only risk is that some shady software project ships a keyring with a
.desc file that contains "Debian developer", so debug-me will claim a bogus
key is the key of a debian developer. But if a debug-me user is using such
shady software, it's probably rooted their computer already..
"""]]