Re: [Debconf-discuss] GPG keysigning?

To: debian-devel@lists.debian.org, debconf-discuss@lists.debconf.org
Subject: Re: [Debconf-discuss] GPG keysigning?
From: Russ Allbery <rra@debian.org>
Date: Thu, 25 Jun 2009 11:24:29 -0700
Message-id: <[🔎] 87fxdouq76.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 4A43BF64.5070900@cateee.net> (Giacomo Catenazzi's message of "Thu\, 25 Jun 2009 20\:18\:12 +0200")
References: <[🔎] 20090623065016.GE21074@piper.oerlikon.madduck.net> <[🔎] 20090622130442.GA27701@lapse.rw.madduck.net> <[🔎] 20090617114955.GC19011@piper.oerlikon.madduck.net> <[🔎] 20090625050327.GD21562@dario.dodds.net> <[🔎] 20090625081840.GC14225@piper.oerlikon.madduck.net> <[🔎] 87zlbww6ch.fsf@windlord.stanford.edu> <[🔎] 4A43BF64.5070900@cateee.net>

Giacomo Catenazzi <cate@cateee.net> writes:

> A naive question: why does not FSF check identity of contributors?
> They must sign a copyright assignment (or disclaimer), send this
> document to FSF, but I see no identity check on FSF side.
>
> They do this for legal reasons!
>
> For FSF copyright assignment is more important than identity check.
> For us seems the contrary, but AFAIK FSF work closely with lawyer then
> us!

This may appear counterintuitive, but I believe the FSF is at
significant less legal risk for the sorts of problems we're discussing
than Debian is.  This is because the FSF doesn't distribute binaries and
doesn't provide automated updates to systems.

You could potentially do a lot of damage by sneaking a back door into
FSF-provided code, but it would take a long time for that to make its
way into running computer systems.  It's a possible attack, but it's an
attack that's easier to discover in some respects and much slower to
take effect than a Debian Developer uploading a package with a back door
(which in most cases would also be automatically synchronized to
Ubuntu).

This would not necessarily apply to the FSF-sponsored distributions, but
I believe none of those are anywhere near as widely used as Debian.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: [Debconf-discuss] GPG keysigning?
  - From: martin f krafft <madduck@debconf.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: martin f krafft <madduck@debconf.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: martin f krafft <madduck@debconf.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: Steve Langasek <vorlon@debian.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: martin f krafft <madduck@debconf.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: Russ Allbery <rra@debian.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: Giacomo Catenazzi <cate@cateee.net>

Prev by Date: Re: [Debconf-discuss] GPG keysigning?
Next by Date: [Debconf-discuss] Paying Renfe with VISA (was: How to get the "web" rate for Madrid...)
Previous by thread: Re: [Debconf-discuss] GPG keysigning?
Next by thread: [Debconf-discuss] Debian installer session at Debcamp
Index(es):
- Date
- Thread