>>>>> "Gopal" == Gopal Narayanan <gopal@rainbow.astro.umass.edu> writes:
Gopal> On Wed, Aug 02, 2000 at 03:43:12AM +1000, Anand Kumria wrote:
>> > Membership is a privilege, and if you have to take a couple of
>> > bureaucratic steps, so be it. You don't haggle with your passport
>> > office about providing your passport photos, do you? If you need to
>>
>> Actually I do -- but that is an entirely different story.
>>
>> If you understand how passports work you have one person (in some
>> countries of a particular occupation, e.g doctor, lawyer, etc.)
>> who can authenticate to the government that you are who you say
>> you are.
>>
>> In the Debian country you could liken that person to existing maintainers.
>> Dale's process says that existing maintainers are not able to
>> authenticate aspiring maintainers who they have confirmed the
>> identity of. Essentially we cease to trust existing developers.
My words of a couple months ago... :-(
[...]
Gopal> All, I am saying is that the photo id requested does not
Gopal> mean that existing developers are not to be trusted. It is
Gopal> an *additional* piece of documentation that goes into the
Gopal> new-maintainer/developer's file.
And additional *worthless* piece of documentation. (Even if it's a
scanned passport... that's easy to falsify).
Gopal> [...] If I am malicious and crafty enough, I can put a
Gopal> trojan horse in my package that can cause a lot of
Gopal> financial damage to some company/institution.
Of course you can... but if you are *malicious enough*, giving a photo
of *someone* ("Excuse me Mr, I'm an amateur photographer, you have
such an interesting face, can I make a picture of you?" Voila, false
photo).
Gopal> Debian can be held responsible for this act of
Gopal> vandalism. Simply put, the debian new-maintainer team now
Gopal> at least has *some* pieces of identification on who I
Gopal> am.
As I said a long time ago: we don't.
Oh, and Wichert mentioned legal reasons for that ID (in
<20000521123722.A6900@mors.wiggy.net>), like there might(!) come a
time when SPI would have to take out an insurance for exactly these
events. Well, any insurance company would *certainly* want ID of
*all* the members, not just the "new people since early 2000". *And*
to `get your hands on somebody' you definitely need more than a
(possible fake) photo and GnuPG public key.
Gopal> As debian maintainers, we have a lot of
Gopal> responsibility. Users take for granted that the software
Gopal> they download from our website, or CDs are secure. Debian
Gopal> maintainers are the first points-of-contact for the package
Gopal> they maintain, and hence, we as an organization should have
Gopal> a reasonable idea of who the maintainers are.
I state categorically: *if* we trust our developers (and everybody is
always quick to proclaim that we do), a key signed *by one of them* is
"a reasonable idea" if you ask me. But of course you don't (or that
whole NM mess would be the mess it is, IMNSHO).
[...]
Gopal> I couldn't find your summary. The archives on the web only
Gopal> lists the July archive.
The list has moved an all... that's the problem I'd wager. It was
nm-discuss@cipsa.physik.uni-freiburg.de. I don't know if the archive
is still there... but since it was a Mailman list, an archive should
at least exist. (I wish Debian would move to Mailman :-| )
Bye, J
--
Jürgen A. Erhard eMail: jae@ilk.de phone: (GERMANY) 0721 27326
MARS: http://members.tripod.com/Juergen_Erhard/mars_index.html
SPACE: Above And Beyond (http://www.planetx.com/space:aab)
Amazon.com: One-Click Patent - One-Click Boycott
Attachment:
pgpuGCLYkIFpK.pgp
Description: PGP signature