> > * The key must have an userid that refers to an official Gentoo > > e-mail address. E.g. dilfri...@gentoo.org > > I think this is pretty useless assuming we're already wanting > to limit the amount of keys trusted to a specific list.
See the remark in a separate sub-thread about signing... Deciding key validity based on signatures is a lot better than based on a central list. Otherwise we are just duplicating existing infrastructure. > > * The userid should have some specific "default string" in its > > comment field, like "Gentoo manifest signing key". > > What's the point of this? I don't see a reason to enforce a dev to have > a dedicated Manifest signing key, and even more I don't see a reason to > add such comments to normal keys. Well it's probably not necessary. It might simplify identification of the UID that determines key validity though. -- Andreas K. Huettel Gentoo Linux developer - kde, sci, arm, tex dilfri...@gentoo.org http://www.akhuettel.de/
signature.asc
Description: This is a digitally signed message part.