[donaldstufft]

> Before you can submit packages to Debian you have to get an existing Debian developer to sign your PGP key. In Debian the trust flows downward from older developers to newer developers.

This is not how signing works in Debian at a technical level. At at technical level uploading to Debian requires them to add your key to a list of keys maintained by the archive administrators. As a matter of policy those administrators ask you to get your key signed by an existing Debian Developer, but at no point does their upload infrastructure check that or use the Web of Trust.

[upofadown]

That list of keys maintained by the archive administrators are signed by debian developers. That is how the archive admins can be sure that the key is in some sense legit. Otherwise where would be the root of trust?

[donaldstufft]

The root of trust for uploads is the listed of signatures maintained by the archive administrators, flat out.

The requirement for having individual keys signed by Debian Developers just makes it easier for the archive administrators to decipher which keys they want to add to their root of trust. The upload system does not check those signatures at all, they do not need to exist in the slightest as far as the upload system is concerned.

[mistrial9]

this seems motivated ulterior to the topic, or making a mountain out of a small hill for other reasons. The act of approval is done approximately manually at first, with automation supporting that decision over time. Perfect machines are in short-supply, so to this day there is some manual aspect to this, which is faulted with a tone that is dire ... doesn't add up based on my understanding of this