Re: Transparency into private keys of Debian

To: debian-devel@lists.debian.org
Subject: Re: Transparency into private keys of Debian
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 8 Feb 2024 23:02:00 +0000
Message-id: <[🔎] 20240208230200.7knrzpzhti6huxhx@yuggoth.org>
In-reply-to: <[🔎] b29f0170-b58c-4592-a02c-be10aaeb92d1@at.or.at>
References: <[🔎] 20240206162232.pahn2kc7x4mlzm3p@yuggoth.org> <[🔎] b29f0170-b58c-4592-a02c-be10aaeb92d1@at.or.at>

On 2024-02-08 23:44:21 +0100 (+0100), Hans-Christoph Steiner wrote:
> > In business, such things are confirmed (often badly) by independent
> > audit. For a volunteer-driven community effort, we have to rely on
> > everyone to exercise their best judgement in these sorts of matters.
> 
> Debian could also get independent, professional audits.
[...]

Perhaps of a sort, but not the kind I'm accustomed to being
performed in the corporate world. Having auditors visit every DD's
home to watch them upload packages and confirm they're following the
claimed secure workflows seems entirely intractable. Sure you could
ask every DD to fill out a questionnaire, but if you don't trust
them to all follow documented practices then why would you trust
them to accurately answer survey questions either?
-- 
Jeremy Stanley

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Re: Transparency into private keys of Debian
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Transparency into private keys of Debian
  - From: Hans-Christoph Steiner <hans@at.or.at>

Prev by Date: Re: Transparency into private keys of Debian
Next by Date: Pago incapacitado. ID de caso: -12369682-9RYIHDWPBPBDD0J.
Previous by thread: Re: Transparency into private keys of Debian
Next by thread: Re: Transparency into private keys of Debian
Index(es):
- Date
- Thread