On 11/6/18 7:32 AM, Bartłomiej Piotrowski via arch-dev-public wrote: >> Here again I would argue that they are devs that have [core] pushing >> rights, as well as devs that are Master Key holders. So even if you >> don’t want to write this black on white, this actually means a small >> group of people have the real control over the distro (technically, >> Master Key holders could revoke everyone else). > > You can argue, but it's simply not true. Any developer has access to > [core]. Master key holders aren't considered any better than other > developers besides having more duties and no one has ever refused to > sign new TU; for every master key holder, there is someone else holding > revocation certificate. There is no hierarchy.
I guess in addition it should be pointed out there's no technical measure stopping *any* Dev from pushing a new keyring package that deletes/revokes/disables all master keys and current packaging keys and replaces the entire keyring with their own key alone. It's just yet another package... -- Eli Schwartz Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature
