The Debian project is one of the largest free software undertakings worldwide. It is geographically distributed, and participation in the project is done on a voluntary basis, without a single formal employee or directly funded person. As we will explain, due to the nature of the project, its authentication needs are very strict - User/password schemes are way surpassed, and centralized trust management schemes such as PKI are not compatible with its distributed and flat organization; fully decentralized schemes such as the OpenPGP Web of Trust are insufficient by themselves. The Debian project has solved this need by using what we termed a “curated Web of Trust”. We will explain some lessons learned from a massive key migration process that was triggered in 2014. We will present the social insight we have found from examining the relationships expressed as signatures in this curated Web of Trust, as well as a statistical study and forecast on aging, refreshment and survival of project participants stemming from an analysis on their key’s activity within the keyring.

中文翻译：

---

关于大规模部署可信Web的见解：Debian项目的加密密钥环

Debian项目是全球最大的免费软件事业之一。它在地理上分布，并且参与项目是在自愿的基础上进行的，没有单个正式雇员或直接出资的人。正如我们将解释的那样，由于项目的性质，其身份验证需求非常严格-用户/密码方案被远远超越，并且集中式信任管理方案（例如PKI）与其分布式和扁平组织不兼容；完全分散的计划（例如OpenPGP Web of Trust）本身是不够的。Debian项目通过使用我们所谓的“精选信任网络”解决了这一需求。我们将解释从2014年触发的大规模关键迁移过程中学到的一些经验教训。