Scripts used for the keyring analysis
This page is meant as a companion to
the articles and presentations we have done
on the topic of keyring trust model and analysis, so far
always based on the Debian project's keyring.
The scripts are quick and dirty, and as it often happens, we
were tempted to just use their results and forget about
them. But we were prompted to be coherent and
- Data sources
- We have worked from publicly available data — Our input is
keyring's public Git repository.
- Evolution in numbers
To understand how the repositories grew and how mny keys of
each type we had over time, we
used this set of Ruby
This set of scripts also generates the
Graphviz files that graph the keyrings' signatures akin to a
- Representing the keyring in a RDBMS
- This set of scripts runs from
the Git repository, analyzing the status of each defined
keyring directory, and represents it in a PostgreSQL
- Statistical analysis
Survival analysis is done by a set
of programs in R. They work
over this post-processed
output of the Git data.
- Measuring key signing parties
- We also measured the size and effects
of key signing parties (KSPs). The output for these
scripts is a set of Gnuplot-generated graphs.
- The keyring at each KSP
- We use this script to generate
person-centered graphs for each DebConf key signing
party. Said graphs are published
- How do keys walk between keyrings?
Keys enter our worldview, and can migrate between the
different defined keyrings. How is their movement over time?
We have not yet used this set of scripts in any publication,
so I'm linking here some of the images. As this works off the
Git repository, it does not measure time in months, but
in tags; there is roughly one tag per month, except
for special cases.