* Understand the way debsign works and verify its signatures.
* What happens with expired keys?
* Get about 1000 DDs to test the thing and report bugs.
* Create patches for katie, the buildds and dpkg to sign and verify
signatures everytime a package is touched.
* We need a way to check if the signature is done by a DD ... errr ...
Reworded: To check if the package is signed with a DD's gpg key (ATM
we don't see the difference between someone who rebuilt the package
with his h4x0r3d sk111z signing as "builder" and a DD who's supposed
to do so). Perhaps something with debian-keyring, gpg
--no-default-keyring --keyring, but that won't work with NMs. Do we
need a wanna-be-dd-keyring? Perhaps one with all keys of people
with a package in the archive. Oh, and for non-Debian sources we
would need a --accept-people-not-associated-with-debian switch.
We have to discuss this at least with the debian keyring manager,
and perhaps some more DDs (#debian-devel? email@example.com?)