[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Becoming a package maintainer

On Sun, Feb 15, 1998 at 11:28:49PM -0500, Will Lowe wrote:

> > scanned in picture of my US drivers license?  What needs to be PGP
> 1) Scan in your license.
> 2) Put your pgp fingerprint (a mess of two-character strings) on the image
> with GIMP or XFIG or something -- do it in some whitespace under the
> image.
> 3) Pgp-sign the image --- with pgp -s filename.jpg
> 4) mail the thing to the new-maintainer people.
> At least,  it worked for me.  You'll need to include an ascii copy of your
> pgp public key so the person at the other end can check the signature,
> etc ... 

While we're here, I know we don't want to make it any _more_ difficult to
become a new maintainer, but step 2 as stated doesn't provide any additional
security at all.  For example, someone at Debian (or someone who intercepts
my message along the way, steals it from my computer, etc.) could grab the
image, use GIMP to write their own PGP fingerprint on it, re-sign the message,
and send it out again.

I think the intent of the rule is to require a _handwritten_ PGP fingerprint
on the actual image, before it is scanned.  With modern tools like GIMP, of
course, even that's pretty hazy security...

At the very least, perhaps we should encourage people to encrypt these images
to prevent interception?  (Even then, the Debian new-maintainers manager
could try the same tricks, but it would be somewhat pointless and Debian
developers are all too nice anyway :))

Have fun,


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: