[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: non-DD contributors and the debian keyring

On Wed, Aug 20, 2003 at 09:40:02AM -0400, Stephen Frost wrote:
> * Martin Quinson (martin.quinson@tuxfamily.org) wrote:
> > $ LC_ALL=C gpg --keyserver keyring.debian.org --recv-keys E145F334 
> > gpg: no valid OpenPGP data found.
> > gpg: Total number processed: 0
> > 
> > This is the ID of my key, available from www.keyserver.net and signed by 2
> > DD. Did I mess something up ?
> 
> keyring.debian.org has only DDs in it.  I think people were suggesting
> using the public keyservers.  keyring.debian.org isn't a part of the
> public key servers.

That's the part of the system I was criticizing :)

> > Shouldn't Debian make sure that work submition from non-DD contributor are
> > signed, just like it does for the work submition from DD ?
> 
> Interesting question.  While it's not a bad idea I don't see it as
> entirely necessary either.  At least when sponsoring a package the DD
> performing the sponsor must check everything regardless of if it was
> sent to them signed or not. 
[...]

Hey, guys, I begun the thread stating that I was mainly a translator and not
a packager.


Let's say that the test case here is that I send a translation patch to
Wichert about dpkg, as I already did. I think that Wichert has no idea about
french, so he cannot review the meaning of my work. If he actually
understand some french, let's imagine I'm japaneese or whatever.


Of course, he can (and should) review the syntax of my po file (a badly
formated po file can easily let the application segfault by replacing %d by
%s in a printf format). msgfmt will warn him if I made such error.

Nevertheless, should he trust the meaning of my translation blindly? I mean,
it could contain offending material, and even unlegal material. I guess that
there will be someone to engage pursuits if dpkg subtly displayed racial
crime incitation, or so. 

I dunno in the states, but such things can bring you in jail for a bunch of
few months (if not years) in France. And it should be easy to insert illegal
material for the US in displayed text, thanks to your wonderfull anti
terrorist and digital right management acts...

Who will get sued in such situation? I guess Debian in first place, but if
I understand well, the whole identification process of the NM is exactly
about giving Debian the possibility to report the charges on the guilty
developper when sued, isn't it?


So, I ask again, shouldn't Debian check the real identity of contributors
when the maintainer is unable to check the material himself ?
If it's ok so, what is the big deal of asking the DD for having a trusted
key and signing the packages, anyway ?

I know about the public servers, but I was wondering why Debian make things
harder for the DD while it has the infrastructure to simplify their work.


Thanks for your time, Mt.

-- 
Failure is not an option.
It comes bundled with software.
Reply to: