Re: Why are in-person meetings required for the debian keyring?
Hi Ian and All,
On Fri, 2015-02-13 at 15:14 +0000, Ian Jackson wrote:
> Sending a warm body to turn up at a conference is much riskier. Even
> if the person just turns up at the KSP, and engages in no small talk
> with anyone, their photo might be taken; they might be `made' by
> suspicious attendees; their (no doubt offically issued) alias
> documents might be scrutinised and recorded; and so on.
>
> These are perhaps small risks, but a small risk of headlines like
> `spooks found covertly infiltrating Free Software project' is a big
> cost to those kind of people.
I think you can find many people that will meet for you someone with his
IC card for few hundreds of €. You just identify that person, create a
mail with his name and start sending contribution. Then give him less
that 1k€ and ask him to meet someone on some debconf and give him a
small paper. That person does not even know who you are and probably
even not know much about debian.
I don't talk about French ID card, that anyone can change easily. As DD
will not verify the integrity of the ID, I think your argument become
very light.
For me mandating that people contribute at least 3years with signed
mails/uploads is probably better than asking for a key signed by 2 DDs.
You can easily setup a DD rating tool, so that only keys above a certain
rate allow their holder to apply for DD status. This rating shall be
done by DDs only based on their technical contributions.
That way you have probably more secure process.
Cheers,
Abou Al Montacir,
Reply to: