On Mon, May 23, 2022 at 07:22:40PM +0100, lkcl wrote: > > > i believe the answer is in the question. debian is based on distributed trust. i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is itself GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate. > > > > This is not an answer to the question though, OP was asking how we prevent abuse of that trust. > > reputation, and potentially criminal and civil proceedings. > > all identities are known, and inviolate-known [through the > above-described chain]. (there is no mechanism to tie a GPG key to an actual person or to find who actually did the signing) > anyone stupid enough to abuse their position may only do so once, at which > point their GPG key is revoked. (only after the abuse is found) > given that GPG key-signing parties require people's real-world identities > to be known, (depends on your definition of "people's real-world identities") > it is easy to track down who signed whose key (it's right > there in the keyring-archive], and request that the signer provide assistance > to the relevant authorities in proving that real-world identity. (doubtful, considering how GPG key-signing parties actually work) -- WBR, wRAR
Attachment:
signature.asc
Description: PGP signature