[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why are in-person meetings required for the debian keyring?

Christian Kastner <debian@kvr.at> writes:
> On 2015-02-11 20:17, Nikolaus Rath wrote:
>> In other words: just because I'm sure about someone's
>> legal name, I wouldn't trust him to run code on my computer. But if
>> someone has been contributing to Debian for 5 years with a specific GPG
>> key, I'd probably trust him to prepare a package no matter if the name
>> associated with the GPG key actually corresponds to some legal identity
>> or not.
>
> I highly disagree. "Contributing to Debian for 5 years" alone is well
> within the means and patience of various organizations with potentially
> malicious intentions.

Does that mean you're individually verifying the credentials of whatever
developer signed an upload before running dpkg -i? I believe at the
moment Debian doesn't even enforce any number or period of
contributions, so I'm curious what it means for you in practice to
generally not trust Debian developers.


Best,
-Nikolaus
-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«
Reply to: