Re: Why are in-person meetings required for the debian keyring?

To: debian-project@lists.debian.org
Subject: Re: Why are in-person meetings required for the debian keyring?
From: Christian Kastner <debian@kvr.at>
Date: Thu, 12 Feb 2015 20:55:55 +0100
Message-id: <[🔎] 54DD054B.9020709@kvr.at>
In-reply-to: <[🔎] 87bnkzqc73.fsf@thinkpad.rath.org>
References: <[🔎] 87r3twgsvb.fsf@thinkpad.rath.org> <[🔎] 87twysi3rt.fsf@hands.com> <[🔎] 20150211204508.GA24789@helios.pault.ag> <[🔎] 54DC0AFB.8090302@kvr.at> <[🔎] 87bnkzqc73.fsf@thinkpad.rath.org>

On 2015-02-12 18:20, Nikolaus Rath wrote:
> Christian Kastner <debian@kvr.at> writes:
>> I highly disagree. "Contributing to Debian for 5 years" alone is well
>> within the means and patience of various organizations with potentially
>> malicious intentions.
> 
> Does that mean you're individually verifying the credentials of whatever
> developer signed an upload before running dpkg -i?

I don't have any packages installed via dpkg -i. I don't have a use case
for that (is this common?) I install all my packages via apt-get or
aptitude, and I only use official mirrors, where the Release files are
signed by an archive key, which is signed by DDs, who's identity I can
rely on through the web of trust.

I install all the stuff I don't trust on a Windows box (with the other
software I very rarely use, but occasionally need).

> I believe at the moment Debian doesn't even enforce any number or
> period of contributions, so I'm curious what it means for you in
> practice to generally not trust Debian developers.

Nonsense. I generally trust anyone who's key is in the keyring. Most
people in there have a multitude of signatures, so that increases my
confidence in their identity even more.

However, those are not the people you are talking about. The argument
you are raising is that people could be trustworthy even if they have
had *zero* personal identity verification.

And I maintain that those people cannot be trusted with unrestricted
upload rights to the archive. That person-noone-has-ever-met but
occasionally-prepares-and-uploads-packages could just be a well
motivated person (or a group of people -- who knows?) hoping to
eventually compromise a popluar OS such as Debian, with zero risk of
personal consequences, or criminal prosecution.

I know, from personal experience, that getting a key signed can be hard.
But I think it's not just an acceptable, but perfectly reasonable hurdle
to clear for the power that you are granted (via upload rights).

Regards,
Christian

Reply to:

Follow-Ups:
- Re: Why are in-person meetings required for the debian keyring?
  - From: Russ Allbery <rra@debian.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>

References:
- Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Philip Hands <phil@hands.com>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Paul Tagliamonte <paultag@debian.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>

Prev by Date: Re: Why are in-person meetings required for the debian keyring?
Next by Date: Re: Why are in-person meetings required for the debian keyring?
Previous by thread: Re: Why are in-person meetings required for the debian keyring?
Next by thread: Re: Why are in-person meetings required for the debian keyring?
Index(es):
- Date
- Thread