>>>>> "Gopal" == Gopal Narayanan <gopal@rainbow.astro.umass.edu> writes: Gopal> On Wed, Aug 02, 2000 at 03:43:12AM +1000, Anand Kumria wrote: >> > Membership is a privilege, and if you have to take a couple of >> > bureaucratic steps, so be it. You don't haggle with your passport >> > office about providing your passport photos, do you? If you need to >> >> Actually I do -- but that is an entirely different story. >> >> If you understand how passports work you have one person (in some >> countries of a particular occupation, e.g doctor, lawyer, etc.) >> who can authenticate to the government that you are who you say >> you are. >> >> In the Debian country you could liken that person to existing maintainers. >> Dale's process says that existing maintainers are not able to >> authenticate aspiring maintainers who they have confirmed the >> identity of. Essentially we cease to trust existing developers. My words of a couple months ago... :-( [...] Gopal> All, I am saying is that the photo id requested does not Gopal> mean that existing developers are not to be trusted. It is Gopal> an *additional* piece of documentation that goes into the Gopal> new-maintainer/developer's file. And additional *worthless* piece of documentation. (Even if it's a scanned passport... that's easy to falsify). Gopal> [...] If I am malicious and crafty enough, I can put a Gopal> trojan horse in my package that can cause a lot of Gopal> financial damage to some company/institution. Of course you can... but if you are *malicious enough*, giving a photo of *someone* ("Excuse me Mr, I'm an amateur photographer, you have such an interesting face, can I make a picture of you?" Voila, false photo). Gopal> Debian can be held responsible for this act of Gopal> vandalism. Simply put, the debian new-maintainer team now Gopal> at least has *some* pieces of identification on who I Gopal> am. As I said a long time ago: we don't. Oh, and Wichert mentioned legal reasons for that ID (in <20000521123722.A6900@mors.wiggy.net>), like there might(!) come a time when SPI would have to take out an insurance for exactly these events. Well, any insurance company would *certainly* want ID of *all* the members, not just the "new people since early 2000". *And* to `get your hands on somebody' you definitely need more than a (possible fake) photo and GnuPG public key. Gopal> As debian maintainers, we have a lot of Gopal> responsibility. Users take for granted that the software Gopal> they download from our website, or CDs are secure. Debian Gopal> maintainers are the first points-of-contact for the package Gopal> they maintain, and hence, we as an organization should have Gopal> a reasonable idea of who the maintainers are. I state categorically: *if* we trust our developers (and everybody is always quick to proclaim that we do), a key signed *by one of them* is "a reasonable idea" if you ask me. But of course you don't (or that whole NM mess would be the mess it is, IMNSHO). [...] Gopal> I couldn't find your summary. The archives on the web only Gopal> lists the July archive. The list has moved an all... that's the problem I'd wager. It was nm-discuss@cipsa.physik.uni-freiburg.de. I don't know if the archive is still there... but since it was a Mailman list, an archive should at least exist. (I wish Debian would move to Mailman :-| ) Bye, J -- Jürgen A. Erhard eMail: jae@ilk.de phone: (GERMANY) 0721 27326 MARS: http://members.tripod.com/Juergen_Erhard/mars_index.html SPACE: Above And Beyond (http://www.planetx.com/space:aab) Amazon.com: One-Click Patent - One-Click Boycott
Attachment:
pgpuGCLYkIFpK.pgp
Description: PGP signature