[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] list of valid documents for KSPs

On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
>         Nothing that a general software developer can do to check an
>  ID is proof against a determined individual, we all assume that there
>  is a gentleman's agreement in place that such an attack is not
>  mounted.

I assume no such thing.  I maintain a healthy degree of skepticism regarding
the true motives and identities of everyone, including those whose keys I've
signed.  It just doesn't interfere with my ability to work with people in
advancement of Debian's goals, because I recognize that statistically it
can't *matter*: assuming the worst about people is no better than assuming
the best, because it basically requires throwing away all collaboration in a
project like this in spite of the fact that in over 10 years of Debian's
existence there hasn't been a single recorded instance of a package

But this is far from assuming that there's a gentleman's agreement in place
-- a gentleman's agreement with people I don't know to be gentlemen in the
first place is worth the paper it's printed on.  OTOH, a gentleman's
agreement with people I know *not* to be gentlemen is worth exactly the
same, so I have no reason to wish to penalize someone for "cracking" a KSP
in this manner.  When I sign a key, I am not asserting that I know beyond
any doubt that the keyholder is who they claim to be -- I am only asserting
that, *to the best of my ability*, I have verified this.  Anyone who thinks
that the best of my ability includes detecting any and all forged IDs is
pretty delusional, but the best of my ability *should* include confirming
that an ID is a form of ID that I'm capable of recognizing, which means that
I failed miserably at this KSP.

> > In other words, Bubba sells forgeries, but the Transnational
> > Republic does not.

>         Riiight.  And I know that how?

In other better words, Bubba is known to sell forgeries, but the
Transnational Republic is not known to sell them.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: