+debian-project, debian-private -> bcc Daniel Kahn Gillmor wrote: > On Tue 2017-10-10 15:22:06 +0200, Enrico Zini wrote:
>> To me it would be already a big step forward to make Debian workflows >> auditable, so anyone can have a look at what other people are doing. >> >> Contributions are generally all in the open, but it's pretty hard to >> collate them all into a single audit log that one can look at. >> >> I would find such a thing useful also to audit myself, to see if things >> are being done in my name that I am now aware of. > > I would also like this, for my own keys, and for the keys that i really > depend on (like the archive signing key, for example). > > A likely approach would be similar to the "certificate transparency" > model, where a signature from a public key isn't accepted unless/until > it has been logged publicly someplace. This creates an incentive to > log, and the log itself provides the transparency needed to make it > *possible* to audit. > > If anyone is interested in working on this, i'd be happy to talk more > about it further -- there are several designs in the "binary > transparency" space that take this approach, and it would be great if > debian could lead the way. > > sadly, i lack the time to implement this myself right now. > >> (all my reply can be quoted on a public list) > > same with mine. > > --dkg Thanks, Jonathan
