evaluate possible options for OpenPGP keyring maintenance
Many tickets here are about maintaining the various keyrings required for daily operations at Tor. A few examples include new keys, expiration updates and so on: #27748 (moved) , #27748 (moved), #27726 (moved), #27600 (moved), #28891 (moved), #28150 (moved), #28138 (moved), #29455 (moved)... but there are literally hundreds of such tickets.
Those keys currently get stored in LDAP and require a TPA to make changes, that is in git@git-rw.torproject.org:admin/account-keyring.git
and ssh://alberti.torproject.org/srv/db.torproject.org/keyrings/keyring.git
. The TPA password manager also has its own keyring subset, see #29677 (moved).
Then there's also stuff like the torbrowser signing keys which are not stored in LDAP (#28306 (moved)), creating another source of truth for keys.
All of this makes key maintenance and discovery difficult. Investigate possible alternatives, including Debian packages (like the one used by debian-archive-keyring), a private keyserver, gpgsync, monkeysphere, or a flock of unicorn. ;)