Re: [Debconf-discuss] GPG keysigning?

To: Russ Allbery <rra@debian.org>
Cc: debian-devel@lists.debian.org, debconf-discuss@lists.debconf.org
Subject: Re: [Debconf-discuss] GPG keysigning?
From: Giacomo Catenazzi <cate@cateee.net>
Date: Thu, 25 Jun 2009 20:18:12 +0200
Message-id: <[🔎] 4A43BF64.5070900@cateee.net>
In-reply-to: <[🔎] 87zlbww6ch.fsf@windlord.stanford.edu>
References: <[🔎] 20090623065016.GE21074@piper.oerlikon.madduck.net> <[🔎] 20090622130442.GA27701@lapse.rw.madduck.net> <[🔎] 20090617114955.GC19011@piper.oerlikon.madduck.net> <[🔎] 20090625050327.GD21562@dario.dodds.net> <[🔎] 20090625081840.GC14225@piper.oerlikon.madduck.net> <[🔎] 87zlbww6ch.fsf@windlord.stanford.edu>

Russ Allbery wrote:
> martin f krafft <madduck@debconf.org> writes:
>> also sprach Steve Langasek <vorlon@debian.org> [2009.06.25.0703 +0200]:
> 
>>> The government IDs are relevant because when we're collaborating on
>>> an OS where there's minimal code review of the work done by
>>> maintainers and a well-chosen malicious package could cause millions
>>> or billions of dollars in damage to our users, we[1] want to be able
>>> to hold someone accountable in the real world.  Not an "identity",
>>> but a physical person that we can prosecute and send to jail.
> 
>> I challenged this and have not heard anything else. How exactly do you
>> think Debian would sue me, assuming I am in Switzerland, or let's say
>> Russia, Korea, or Senegal?
> 
> Debian isn't going to sue you itself.  Debian has no legal existence to
> sue anyone.
> 
> Debian would hold the hypothetical malicious you accountable, by which I
> mean that when the police come to a Debian delegate wanting to know how
> a Trojan horse was introduced into thousands of computers around the
> world, that delegate would point to the physical person who did the
> upload and say "go talk to them about it," after which point the normal
> legal processes for criminal activity that crosses national borders
> would work their way out.
> 
> There have been successful prosecutions and multi-government sting
> operations on some rings of computer criminals.  Not a lot, because it's
> a hard problem, but it does happen.  And, almost equally importantly, if
> Debian can identify a specific responsible person, that means that
> Debian can identify a thousand people who *aren't* responsible, namely
> all the rest of us.

A naive question: why does not FSF check identity of contributors?
They must sign a copyright assignment (or disclaimer), send this
document to FSF, but I see no identity check on FSF side.

They do this for legal reasons!

For FSF copyright assignment is more important than identity check.
For us seems the contrary, but AFAIK FSF work closely with lawyer
then us!

ciao
	cate


PS: to answer to an other recent thread: FSF must know the
real name of all contributors, but FSF allows one to use in public
a pseudonym.

Reply to:

Follow-Ups:
- Re: [Debconf-discuss] GPG keysigning?
  - From: Russ Allbery <rra@debian.org>

References:
- Re: [Debconf-discuss] GPG keysigning?
  - From: martin f krafft <madduck@debconf.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: martin f krafft <madduck@debconf.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: martin f krafft <madduck@debconf.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: Steve Langasek <vorlon@debian.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: martin f krafft <madduck@debconf.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: [Debconf-discuss] GPG keysigning?
Next by Date: Re: [Debconf-discuss] GPG keysigning?
Previous by thread: Re: [Debconf-discuss] GPG keysigning?
Next by thread: Re: [Debconf-discuss] GPG keysigning?
Index(es):
- Date
- Thread