Re: Why are in-person meetings required for the debian keyring?

To: debian-project@lists.debian.org
Subject: Re: Why are in-person meetings required for the debian keyring?
From: Russ Allbery <rra@debian.org>
Date: Thu, 12 Feb 2015 12:11:12 -0800
Message-id: <[🔎] 87mw4iao0v.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 54DD054B.9020709@kvr.at> (Christian Kastner's message of "Thu, 12 Feb 2015 20:55:55 +0100")
References: <[🔎] 87r3twgsvb.fsf@thinkpad.rath.org> <[🔎] 87twysi3rt.fsf@hands.com> <[🔎] 20150211204508.GA24789@helios.pault.ag> <[🔎] 54DC0AFB.8090302@kvr.at> <[🔎] 87bnkzqc73.fsf@thinkpad.rath.org> <[🔎] 54DD054B.9020709@kvr.at>

Christian Kastner <debian@kvr.at> writes:

> And I maintain that those people cannot be trusted with unrestricted
> upload rights to the archive. That person-noone-has-ever-met but
> occasionally-prepares-and-uploads-packages could just be a well
> motivated person (or a group of people -- who knows?) hoping to
> eventually compromise a popluar OS such as Debian, with zero risk of
> personal consequences, or criminal prosecution.

I think the point is that so could the person who showed up at DebConf.
Once you start postulating a sufficiently motivated attacker that they
would be willing to take the time to establish a contribution track record
and go through the NM process, showing up at DebConf with a forged ID is
not increasing the difficulty of the attack by very much, nor is it
increasing the risk by all that much.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Philip Hands <phil@hands.com>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Paul Tagliamonte <paultag@debian.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>

Prev by Date: Re: Why are in-person meetings required for the debian keyring?
Next by Date: Re: Why are in-person meetings required for the debian keyring?
Previous by thread: Re: Why are in-person meetings required for the debian keyring?
Next by thread: Re: Why are in-person meetings required for the debian keyring?
Index(es):
- Date
- Thread