Re: [Debconf-discuss] GPG keysigning?

[Russ Allbery <rra@debian.org>]

martin f krafft <madduck@debconf.org> writes:
> also sprach Steve Langasek <vorlon@debian.org> [2009.06.25.0703 +0200]:

>> The government IDs are relevant because when we're collaborating on
>> an OS where there's minimal code review of the work done by
>> maintainers and a well-chosen malicious package could cause millions
>> or billions of dollars in damage to our users, we[1] want to be able
>> to hold someone accountable in the real world.  Not an "identity",
>> but a physical person that we can prosecute and send to jail.

> I challenged this and have not heard anything else. How exactly do you
> think Debian would sue me, assuming I am in Switzerland, or let's say
> Russia, Korea, or Senegal?

Debian isn't going to sue you itself.  Debian has no legal existence to
sue anyone.

Debian would hold the hypothetical malicious you accountable, by which I
mean that when the police come to a Debian delegate wanting to know how
a Trojan horse was introduced into thousands of computers around the
world, that delegate would point to the physical person who did the
upload and say "go talk to them about it," after which point the normal
legal processes for criminal activity that crosses national borders
would work their way out.

There have been successful prosecutions and multi-government sting
operations on some rings of computer criminals.  Not a lot, because it's
a hard problem, but it does happen.  And, almost equally importantly, if
Debian can identify a specific responsible person, that means that
Debian can identify a thousand people who *aren't* responsible, namely
all the rest of us.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>