> But if all we're doing is taking the keys from other places and updating
> them in Ubuntu, validated by some process that ultimately relies on some
> set of people to assert that the keys are correct, then what are we
> achieving anyway? Can this not just be automated then, and tooling be
> provided in the archive instead, so users can just do that directly when
> they need? Then there would be much reduced burden on maintainence,
> including for the relevant privileged review teams.
I don't see the problem of putting a slight burden on the review
teams, if there is a tool/process to update, review and validate the
content of the keyring.
If the distro maintainers can save users' burden then why not? In the
current implementation, users can just update the keyring by running
`apt update`. It's simple and easy for users.
--
Shengjing Zhu
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
