blob: 3270c3383b8c0bef18c8181eb924f606bab5e5d0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
[[!comment format=mdwn
username="joey"
subject="""comment 1"""
date="2017-05-20T17:33:53Z"
content="""
Very good idea!
I suppose all it needs is a list of keyrings to check, and if it finds a
key there, it can say "John Doe is a Debian developer" rather than the current
"John Doe is probably a real person".
This could be extended beyond distributions; individual software programs
could also ship keyrings with their developer(s).
So, how about rather than a hardcoded distro-specific list of keyrings,
make debug-me look in /usr/share/debug-me/keyring/$project.gpg
There could be an accompnying file $project.desc that describes the
relationship to the project that being in their keyring entails. Eg,
"Relationship: Debian developer" in debian.desc.
In the debian package of debug-me, you could then symlink
/usr/share/keyrings/debian-keyring.gpg to the debug-me keyring directory.
The only risk is that some shady software project ships a keyring with a
.desc file that contains "Debian developer", so debug-me will claim a bogus
key is the key of a debian developer. But if a debug-me user is using such
shady software, it's probably rooted their computer already..
"""]]
|