[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

Giacomo Catenazzi <cate@cateee.net> writes:

> A naive question: why does not FSF check identity of contributors?
> They must sign a copyright assignment (or disclaimer), send this
> document to FSF, but I see no identity check on FSF side.
> They do this for legal reasons!
> For FSF copyright assignment is more important than identity check.
> For us seems the contrary, but AFAIK FSF work closely with lawyer then
> us!

This may appear counterintuitive, but I believe the FSF is at
significant less legal risk for the sorts of problems we're discussing
than Debian is.  This is because the FSF doesn't distribute binaries and
doesn't provide automated updates to systems.

You could potentially do a lot of damage by sneaking a back door into
FSF-provided code, but it would take a long time for that to make its
way into running computer systems.  It's a possible attack, but it's an
attack that's easier to discover in some respects and much slower to
take effect than a Debian Developer uploading a package with a back door
(which in most cases would also be automatically synchronized to

This would not necessarily apply to the FSF-sponsored distributions, but
I believe none of those are anywhere near as widely used as Debian.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: