Re: Why are in-person meetings required for the debian keyring?

To: debian-project@lists.debian.org
Subject: Re: Why are in-person meetings required for the debian keyring?
From: Nikolaus Rath <Nikolaus@rath.org>
Date: Thu, 12 Feb 2015 12:29:54 -0800
Message-id: <[🔎] 87iof67u0t.fsf@thinkpad.rath.org>
Mail-followup-to: debian-project@lists.debian.org
References: <[🔎] 87r3twgsvb.fsf@thinkpad.rath.org> <[🔎] 87twysi3rt.fsf@hands.com> <[🔎] 20150211204508.GA24789@helios.pault.ag> <[🔎] 54DC0AFB.8090302@kvr.at> <[🔎] 87bnkzqc73.fsf@thinkpad.rath.org> <[🔎] 54DD054B.9020709@kvr.at>

Christian Kastner <debian@kvr.at> writes:
> On 2015-02-12 18:20, Nikolaus Rath wrote:
>> Christian Kastner <debian@kvr.at> writes:
> On 2015-02-11 20:17, Nikolaus Rath wrote:
>>>>> In other words: just because I'm sure about someone's
>>>>> legal name, I wouldn't trust him to run code on my computer. But if
>>>>> someone has been contributing to Debian for 5 years with a specific GPG
>>>>> key, I'd probably trust him to prepare a package no matter if the name
>>>>> associated with the GPG key actually corresponds to some legal identity
>>>>> or not.
>>>
>>>> I highly disagree. "Contributing to Debian for 5 years" alone is well
>>> within the means and patience of various organizations with potentially
>>> malicious intentions.
>> 
>> Does that mean you're individually verifying the credentials of whatever
>> developer signed an upload before running dpkg -i?
>
> I don't have any packages installed via dpkg -i. I don't have a use
> case for that (is this common?) I install all my packages via apt-get
> or aptitude,

That's what I meant. I was assuming you'd have to use dpkg because you
don't automatically trust any Debian package (but now I release you do,
just for different reasons).

> and I only use official mirrors, where the Release files are
> signed by an archive key, which is signed by DDs, who's identity I can
> rely on through the web of trust.

Ah, so you're saying you trust the Debian developers because their
identity has been verified. I didn't realize you highly disagreed with
my first sentence as well. It seems we have very different bases on
which to assign trust, but nothing wrong with that.

> And I maintain that those people cannot be trusted with unrestricted
> upload rights to the archive. That person-noone-has-ever-met but
> occasionally-prepares-and-uploads-packages could just be a well
> motivated person (or a group of people -- who knows?) hoping to
> eventually compromise a popluar OS such as Debian, with zero risk of
> personal consequences, or criminal prosecution.

In my opinion, exactly the same applies for someone you've met. I think
it's a lot easier to get a forged id than to establish a history of
valuable contributions.


Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«

Reply to:

Follow-Ups:
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>

References:
- Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Philip Hands <phil@hands.com>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Paul Tagliamonte <paultag@debian.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>

Prev by Date: Re: Why are in-person meetings required for the debian keyring?
Next by Date: Re: Why are in-person meetings required for the debian keyring?
Previous by thread: Re: Why are in-person meetings required for the debian keyring?
Next by thread: Re: Why are in-person meetings required for the debian keyring?
Index(es):
- Date
- Thread