Unexpected behaviours when a subscriber shares a key with an admin
I created a test list with my personal email address as admin, and I then tried to self-subscribe from my work email address. To my surprise this worked, even though the x-subscribe command was limited to admins - but the two email addresses share the same PGP key so I suspect that the permissions check only tested whether the mail was signed by an admin's key, but not sent from an admin's email address. That's unexpected, but probably not worth worrying about.
The more serious issue is that when I performed admin tasks via *-request using my personal (admin) email address, the work (subscriber) email address got all the confirmation responses. This is particularly concerning because I may wish to only be able to post from that address, not receive mail there that might contain info such as list member details. The work UID is not even the primary UID of that key, so it is unclear why schleuder would have picked that email address to send admin responses to.