FS#29471 - Validity of (ex) developer keys

Attached to Project: Arch Linux
Opened by Nikolai Maziashvili (mkudro) - Sunday, 15 April 2012, 13:40 GMT
Last edited by Allan McRae (Allan) - Friday, 27 April 2012, 06:27 GMT
Task Type General Gripe
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version 2011.08.19
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

When installing virt-manager i was asked to add key from Angel Velasquez for python2-cairo package. But i couldn't find him on dev list (https://www.archlinux.org/master-keys/) - point of reference for me. So key verification was not possible, so i emailed him and Angel was king enough to response and indeed confirm my thought that he was not developing for arch anymore.
I know i sound paranoid here, but what is the point of key signing if we just go and accept everything that comes along. I have no reason, especially after communicating with Angel, not to trust/import his key, but this is not my point. If his key is still regarded as trusted/valid, although he is not dev any more, he still should remain on the list until someone takes over and resigns the package.
This task depends upon

Closed by  Allan McRae (Allan)
Friday, 27 April 2012, 06:27 GMT
Reason for closing:  Not a bug
Comment by Ionut Biru (wonder) - Sunday, 15 April 2012, 15:37 GMT
look in Fellows Profiles
Comment by Nikolai Maziashvili (mkudro) - Sunday, 15 April 2012, 23:37 GMT
Thnx Ionut, didn't know about that. Still very new to arch :).

Loading...