[H-GEN] Effect of Debian Keyring expires

[Russell Stuart]

We had a discussion at Humbug about Debian expiring all PGP keys less
than 2048 bits.  I said at the time I thought about 50 Debian Developers
and maintainers would be effectively banned from updating their package
until they got their act together.  The number is actually 397.  That
number is too large, so they can't carry out the threat to ban them.

I also said that Debian had around 4000 developers.  That was based on a
figure given an an LCA talk given by bdale.  I not sure how you are
supposed to get the definitive count of people who can upload new
packages.  db.debian.org hosts a LDAP database of debian developers.  A
search with no criteria returns 1086 of them.  Another measure is the
number of GPG keys stored in /usr/share/keyrings/debian-keyring.gpg on
Debian systems.  There are 1002 in there in jessie.

In addition there are 221 Debian Maintainers, who are effectively Debian
Developers in training, however 43 also have short keys, and thus has
could also be banned from uploading to the archive until the arrange to
get a strong gpg key.

To people wondering why this is important: effectively all Debian users
have granted these people the power to install any program that wish
onto their systems, including viruses and root kits.  To the best of my
knowledge this power has never been abused in the history of Debian.