Re: I'm not quitting that easy. (Was: Re: I would like to vote also.)
>>>>> "Joseph" == Joseph Carter <firstname.lastname@example.org> writes:
>>>>> "Nicolás" == Nicolás Lichtmaier <email@example.com> wrote:
Nicolás> There isn't a string relationship betwen identification and Debian trust.
Nicolás> If someone's key is signed, that doesn't mean that the signer certifies a
Nicolás> person as a good and kosher developer. In the other hand, my key is in the
Nicolás> keyring and it isn't signed by anyone...
Nicolás> Not everybody lives a couple of hours away from other developers...
Joseph> Ahh, but Karl does [...]
Who do I live near? I know of Jamie Sharp. Who else? I've not met
them and would like to. Portland, OR, USA.
Joseph> [...] - and Karl has a history of asking (in public) for
Joseph> people to sign his key without proof of identity. He's
Joseph> tried very hard in fact. This rates him as completely
Joseph> untrusted IMO because he has willingly and repeatedly
Joseph> tried to compromise our web of trust despite explanations
Joseph> of just how wrong what he's trying to do is.
That is not true. I've tried to prove my identity by signing a scan
of my state ID with the key and placing that in my home directory on
people.debian.org. The few maintainers whom I've met in person can
look at that ID scan and verify that the man in the photo is the man
they met. That was an attempt at verifying my identity.
It is flawed, however, as I now see. Someone could conceivably have
broken into Karl's storage locker where he stashed the contents of
his apartment before hitchhiking to Ski Villa USA to get a job
washing dishes... and found the scan of Karl's ID card, created a new
key, and started trying to get that key in the keyring in preparation
for total sabotage.
How can we verify my identity? You should not "trust me" too much
until you can verify I'm who I say I am in some way. `vic'
conference? Meet in person? How? Sean Perry or Amos Shapirah, whom
I've met, can verify that the man in the photo on "people" is the man
they've met. Neither of them can vouch for my character; we are
strangers. Neither of them can vouch that I'm (typing this email)
the person in that photo either... unless they ask me specific
questions about our meeting, and I ask them the same sort of
questions. It's sort of like the key fingerprint; but more like
"what did I have for lunch?" or "what did the sign say?".
Joseph> Further, he has resigned. Twice that I've seen. If his resignation
Joseph> hasn't been officially accepted, I'd question why nothing has been done
Joseph> about the obvious attack on the project's security.
It was rash and not well thought out. My feelings were hurt, I was
angry, and I "quit". A day later I'd changed my mind. I have *not*
I have *not* attacked the project's security (intentionally). That
statement is bordering on libel, IMO. Please give me the benefit of
the doubt, and ID me somehow. Verify that the man who's been typing
all this email saying he's Karl Hegbloom really is him; the man in
the photo in people.debian.org:~karlheg/.
Once again, the public key there on "people" should be considered
*interim* and not my future official Debian key. I will create the
official key in the presence of another developer. That interim key
though I can use to verify that it's not been an imposter all this
Wish I was out skiing today though... my new job will pay enough to
afford to go. It will be good to get up on Mt. Hood this winter!
Karl M. Hegbloom <firstname.lastname@example.org>