Russell Stuart <russell-debian@stuart.id.au> writes: > On Wed, 2015-02-11 at 11:17 -0800, Nikolaus Rath wrote: >> I'm a little confused about the need to meet in-person to get a >> signature that's acceptable for the Debian keyring. >> >> I believe that Debian packages are signed on upload to ensure that they >> have been prepared by a Debian Developer, because Debian Developers are >> assumed to be trustworthy. >> >> However, it seems to me that meeting someone in person isn't actually >> verifying the relevant identity here. My trust in a Debian developer is >> not based on him holding a particular legal name, it is in his history >> of contributions. > > I agree. The problem is in the details. How do you prove all those > contributions came from that key? Really the only way to prove it is to > have that long history signed by the key that wants to become a DD. The > issue is very few people sign all their interactions with Debian - > certainly not in the beginning. Worse, there are people (and some > current DD's) who strongly objected on this list to doing it. > > But yes, if it were available I agree it's far more secure than the > procedures we have now, and I'd like to see Debian's procedure changed > to treat such history with at least equal weight to getting your key > signed by a DD. The reason is that history is a "proof of work". It's > a well known and remarkably strong way of authenticating something. > Currently the best known deployment of it in is Bitcoin which uses it as > the foundation for block chain security. > > The weakness of the current method is shown by one of the responses > given here: > > On Wed, 2015-02-11 at 20:36 +0000, Philip Hands wrote: >> The thing it's trying to add is some assurance that, if it were >> necessary to eject someone from the project for whatever reason, that >> it is at least moderately hard for them to sneak back in under a >> different name. > > If it is indeed trying to do that, it fails miserably. A DD signing a > key doesn't imply he is saying he is worthy of (re)inclusion into > Debian, so nobody uses it as a criterion. If some random noob comes up > to DD with a valid credentials and asks them to sign their key, its > highly likely they will. At major conferences this happens en-mass at > key signing parties(!) You've managed to spectacularly miss my point. If one insists on face-to-face meetings, there is a moderate chance that someone is going to notice that the same person is attempting to create a new persona in order to gain a reentry that we'd refuse if they presented themselves as the persona which was ejected. It's certainly not foolproof, but it's considerably better than simply allowing people to run multiple personae in parallel from their underground bunker. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature