Re: [nm-admin] Identification step in the current scheme (Re: Fear the new maintainer process)
On Tue, Aug 01, 2000 at 03:14:51PM -0400, Gopal Narayanan wrote:
> On Wed, Aug 02, 2000 at 03:43:12AM +1000, Anand Kumria wrote:
> > > Membership is a privilege, and if you have to take a couple of
> > > bureaucratic steps, so be it. You don't haggle with your passport
> > > office about providing your passport photos, do you? If you need to
> > Actually I do -- but that is an entirely different story.
> > If you understand how passports work you have one person (in some
> > countries of a particular occupation, e.g doctor, lawyer, etc.)
> > who can authenticate to the government that you are who you say
> > you are.
> > In the Debian country you could liken that person to existing maintainers.
> > Dale's process says that existing maintainers are not able to authenticate
> > aspiring maintainers who they have confirmed the identity of. Essentially
> > we cease to trust existing developers.
> Even in the case of passports, it is a two-step process. First step,
> is as you allude to, you have a notarized signature, from say a doctor
> or lawyer, stating that you are who you are. In addition, you need a
> photograph *for the record*. The photo on your passport is one of the
> pieces of identification, the other is your signature [Of course, both
> can be forged, I don't want to get into that]
You are only half-right. The photo is not there to record your identify,
for instance ...
Let assume a world where matter transportion was instantanious and without
cost. Lets further assume that Governments had embraced strong cryptography
and in particular public key crypt. Yes, it would be a Utopia .
How would passports work in such a world?
1. You authenticate yourself to your own Government (for example by
showing your birth certificate, etc.)
2. They present you with a box and invite you to padlock it (the padlock
is analogous to your public key).
3. You then fly to some other country, let's say the US, turn up at immigration
state your name, birthdate and country. Then they contact your claimed
country of nationality and ask for the box.
4. They present you with the box, you pull out the key to open the padlock
(the key is analogous to your private key), open the box and see a certificate
from your country indicating that you are a citizen of it.
Your "passport" doesn't contain any identifying information because it is
unneccessary - so long as the US Government trusts the issuing Government
to authenticate individuals properly they don't need to see the same things
used to do the authentication.
This how a web of trust works. Debian purpurts to trust its existing
developers. If it did then once a developer had already signed (i.e.
authenticated an individual) a key other developers, like AMs and DAMs
should trust that signature.
> All, I am saying is that the photo id requested does not mean that
> existing developers are not to be trusted. It is an *additional* piece
> of documentation that goes into the new-maintainer/developer's file. I
Then it should, by rights, be stored somewhere on db.debian.org rather
than kept, secret service like, with the DAM.
> think some sort of traceability is good. As debian maintainers, we can
The identification traceability is provided by signatures on applicants
> upload packages. If I am malicious and crafty enough, I can put a
> trojan horse in my package that can cause a lot of financial damage to
> some company/institution. Debian can be held responsible for this act
> of vandalism. Simply put, the debian new-maintainer team now at least
> has *some* pieces of identification on who I am. As debian
> maintainers, we have a lot of responsibility. Users take for granted
> that the software they download from our website, or CDs are
So, then, why we is this only applied to *new* maintainers? Surely if the
situation is as grave as you claim you could formulate a General Resoultion
insisting that every existing developer provide a means to identify
themselves. It might even pass with a convincing majority.
> > > travel abroad, you do the needful to *apply* for a passport. After a
> > > loong discussion, I believe the current procedures have been adopted
> > > for applications for new members, and IMO they are equitable and
> > > reasonable.
> > I'm not if you have read the archives -- I have. I posted a long
> > summary on the nm-admin (or nm-discuss) mailling list. It'll
> > certainly be in the archive if you care to look (Since it was in March
> > it'll take me more effort than I have at 0330 to find).
> I couldn't find your summary. The archives on the web only lists the
> July archive.
I am referring to this one,
The debian-newmaint-admin and debian-newmaint-discuss mailing lists are
very recent creations. Unfortunately to access that URL you'll need to be
a member of the mailing list.
I've placed the same message at:
<URL: http://www.progsoc.org/~wildfire/debian/nm-admin/2000-May/000395.html> so you can see what I was on about.