On Wed, Sep 28 2011, Ted Zlatanov wrote:

> To that end it would also be nice if we asked committers to sign their
> contributions with their private GPG key, but I don't know if Bazaar
> supports that.  If they did, we could have a list of approved public GPG
> keys for any given package and contributions signed with those could be
> automatically approved.  This is just a proposal though, I don't know
> the best way to do it.

I though people having commit access to ELPA were already trusted, since
they got their write access SSH authentified?

> Most of us don't know how to run a package repository, so maybe we
> should look at the Debian maintainers' process or ask them if we don't
> have the local expertise.

Well, there's no manual review of packages already present in the
archive at Debian. Only new packages got reviewed (for licensing issue
mainly).

-- 
Julien Danjou