In addition to the web-of-trust checking debug-me already does, it could also inform the user whether keys are present in distribution keyrings, such as /usr/share/keyrings/debian-keyring.gpg. This would be especially relevant when it is distribution issues that are to be debugged with debug-me: the person connecting is also capable of pushing updates to the usre's machine.
Example output: Sean Whitton is an official Debian Developer (information accurate as of YYYY-MM-DD) where the date comes from the version of the debian-keyring package.
Distribution packagers of debug-me could add the keyrings to be checked in this way to a configuration file, or possibly just hardcode them somewhere in debug-me's source.
--spwhitton
done; you'll need to include the symlinks to the debian keyring in the keysafe.deb. --?Joey
Very good idea!
I suppose all it needs is a list of keyrings to check, and if it finds a key there, it can say "John Doe is a Debian developer" rather than the current "John Doe is probably a real person".
This could be extended beyond distributions; individual software programs could also ship keyrings with their developer(s).
So, how about rather than a hardcoded distro-specific list of keyrings, make debug-me look in /usr/share/debug-me/keyring/$project.gpg There could be an accompnying file $project.desc that describes the relationship to the project that being in their keyring entails. Eg, "Relationship: Debian developer" in debian.desc.
In the debian package of debug-me, you could then symlink /usr/share/keyrings/debian-keyring.gpg to the debug-me keyring directory.
The only risk is that some shady software project ships a keyring with a .desc file that contains "Debian developer", so debug-me will claim a bogus key is the key of a debian developer. But if a debug-me user is using such shady software, it's probably rooted their computer already..
Simplified that sligtly. The keyring filename can describe the relationship, eg "a_Debian_developer.gpg". The mtime of the keyring will be displayed so the user knows how up-to-date it is.