[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

Steve Langasek wrote:
On Wed, Jun 17, 2009 at 01:49:55PM +0200, martin f krafft wrote:

This would also eliminate people that have fake ID from places
that most people wouldn't recognise at all -- we're almost bound
to have a local that will recognise it as fake, and so not sign.
By adding the denouncement procedure that key will get signed by
nobody at the key signing, rather then getting signed by quite
a lot of the people who would have been convinced.

You are putting *way* too much weight and importance into the
government-issued document, and basically none into the identity of
the holder. Seriously: we're supposed to be certifying identities,
not the authenticity of a government document.

I thought this was suitably rebutted years ago after the DC6 keysigning.  To
bring up the same arguments again looks like trying to win by getting the
last word...

The government IDs are relevant because when we're collaborating on an OS
where there's minimal code review of the work done by maintainers and a
well-chosen malicious package could cause millions or billions of dollars in
damage to our users, we[1] want to be able to hold someone accountable in
the real world.  Not an "identity", but a physical person that we can
prosecute and send to jail.

Since governments are in charge of jails, government IDs are therefore the
best tool we have available for this, without significantly compromising our

Very strange logic. BTW AFAIK justice doesn't identify people
because of ID documents. For other administrative works government
identify me with my tax code, my social security number, etc (which
are easily fakeable).

I miss the logic.

BTW usually open source projects use trustiness: if you did a log
of good patches you'll have the commit rights, without identity checks.
AFAIK only Debian has stronger requirements (on identity), and it
is IMO also the reason why we discuss: we have no other good example.

I agree that we should trust and use government ID for identity
check in Debian, but:
- it should be one control out of more others
- stop the FUD. If open source will need to check id document for
  every developer, open source will die.
  We have higher level of security/trustiness, but please don't
  destroy the real man, who do the real job: the upstreams.


Reply to: