Why are in-person meetings required for the debian keyring?
Hello,
I'm a little confused about the need to meet in-person to get a
signature that's acceptable for the Debian keyring.
I believe that Debian packages are signed on upload to ensure that they
have been prepared by a Debian Developer, because Debian Developers are
assumed to be trustworthy.
However, it seems to me that meeting someone in person isn't actually
verifying the relevant identity here. My trust in a Debian developer is
not based on him holding a particular legal name, it is in his history
of contributions. In other words: just because I'm sure about someone's
legal name, I wouldn't trust him to run code on my computer. But if
someone has been contributing to Debian for 5 years with a specific GPG
key, I'd probably trust him to prepare a package no matter if the name
associated with the GPG key actually corresponds to some legal identity
or not.
Following that argument, I think a key should be signed and included in
the Debian keyring if it (the key) has a history of high quality
contributions. Meeting the keyholder in person to look at his passport
doesn't seem to add anything of particular value here. Why would I care
under what name he has been contributing?
Am I missing something?
Disclaimer: I don't mind the requirement, I'm just curious why it's
there.
Best,
-Nikolaus
--
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F
»Time flies like an arrow, fruit flies like a Banana.«
Reply to: