On Fri, Dec 26, 2014 at 2:56 AM, envite <envite@???> wrote:
>
> I've been thinking on how to sign Devuan Packages, and we need a
> Repository Key and a hard set of trusted keys.
>

Those are two separate problems, the repo key verifies the mirrors are
getting a proper feed from master. Thats somewhat useful.

Developer keys in the sense of conceptual continuity are semi-meaningfull
and could be kept.

SIGNED developer keys as in the Debian implementation are meaningless
security theater and should be disposed of.