Re: Crypto signing of packages
>>>>>>>> On Fri, 28 Feb 1997, Ian wrote:
Ian> I think I'd like to take a step back from my concrete proposal,
Ian> and think about what the difficult problems are:
Ian>
Ian> * Maintainer identity and initial certification.
Ian>
Ian> This is as much a policy as a technical decision - there's a
Ian> strong effort/security tradeoff.
Ian>
Ian> I think that at least one of our objectives should be to
Ian> establish a sociolegal comeback in the case of a malicious
Ian> developer. This means that we need to verify the real-world
Ian> identify of the developer somehow. There are several ways to do
Ian> this, including personal introduction by an existing developer,
Ian> commercial key-signing, attempting to use PGP web of trust,
Ian> telephone verification of some kind, &c.
Ian>
Ian> Do we want to have any competence or integrity requirements for
Ian> our developers ?
That would be best and I would answer "Yes" but....
(see below)
Ian> If so then references are probably the best
Ian> idea, but what kind and who from ?
I am not sure that the project can afford tracing down new
developers for references. Two main reasons fro that, First, not
everybody have somebody to give reference for him: "I am still in
the High School but you can talk to my mom..." - what will answer to
this new developer? Second, Who would volunteer doing that? Let's
not forget that we are non profit.
And after all, If anybody would really want to join the project for
making trojans, he would. IMHO you can't do anything about that.
I would welcome anybody that can convince me in the opposite.
thks
borik
--------------------------------------------------------------
Boris D. Beletsky borik@isracom.co.il
Network Administrator borik@cs.huji.ac.il
Hebrew University borik@debian.org
Jerusalem, Israel phone: +972 2 6411880
Reply to: