[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys



On Sat, May 27, 2006 at 04:47:20PM -0500, martin f krafft wrote:

> The Debian project heavily relies on keysigning for much of its
> work. However, I think the question what the signing of a key
> actually accomplishes has not been properly addressed. In my
> opinion, from the point of view of the Debian project, a person's
> actual identity (as in the name on your birth certificate) matters
> very little; the Debian project does not actively interfere with
> a person's real life in such a way as to require the birth
> certificate identity (legal cases, liability issues, etc.).

I don't agree that the Debian project shouldn't care about being able to map
the names of its contributors back to real-world entities.  The work we do
in Debian has real-world impact on lots of people, and if someone attacks
the integrity of Debian from the inside they should expect real-world
consequences for doing so.

Having a contributor's real name is an aid to holding them accountable, even
though it's neither globally unique nor permanent.

> Moreover, it's rather trivial in several countries of this world to
> change your official name. In this context, even the claim that in
> the case of a trust abuse, your reputation throughout the FLOSS
> community (and the rest of the Internet) should be properly
> tarnished, does not stand, IMHO.

In the jurisdictions I'm familiar with, unless you're in a witness
protection program, changing one's official name is accompanied by open
court records showing the old and new names and it is thus not a terribly
effective means of avoiding pesky inconveniences like creditors and criminal
charges.  So legally changing your name isn't going to stop us from getting
your ass thrown in jail for computer crimes; OTOH, if you were using a
pseudonym in the first place and no one detected it, that may be more of an
obstacle.

> I imagine an improved protocol for the keysigning, which is based on
> an idea I overheard after the party (and someone mentioned it in the
> thread): instead of the everyone-signs-everyone approach, it might
> be interesting to investigate forming groups (based on connectivity
> statistics) such that everyone's mean distance in the web of trust
> can be increased by a fair amount in a short amount of time. At the
> same time, such circles could be used for education by those with
> high connectivity (and thus much experience). The problem here is of
> course the somewhat unreliable attendance of people. Comments
> welcome.

I agree that this is the way to go.  Who has time to work on implementing
the necessary code?

> also sprach Enrico Zini <enrico@enricozini.org> [2006.05.25.1218 -0500]:
> > However, from the book you don't get the address of madduck's
> > home, which is what you want when you have to go and drag him to
> > jail if he willingly uploads some malicious code.

> Could you even drag me to jail for anything I do (or don't do) in
> Debian? Which jurisdiction would be used? Who'd be the prosecutor?
> What kind of legal claims would actually stand a chance?

There are federal computer crime laws in the US that would cover things like
trojaning packages or rooting Debian servers.
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm suggests that EU
member states should have laws criminalizing such activities as well, though
I don't know the implementation details of any.

That would certainly cover the majority of DDs today, anyway.  And for the
rest, we always have the CIA to kidnap them for us so they can be tried in
the US. :-P

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature


Reply to: