[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why are in-person meetings required for the debian keyring?

On 2015-02-15 11:55, Russell Stuart wrote:
> On Fri, 2015-02-13 at 15:14 +0000, Ian Jackson wrote:
>> There are organisations with plenty of money, who would perhaps like
>> to infiltrate us, but for whom risk of exposure is the biggest cost of
>> trying.
> 
> Which organisations would that be?
> 
> It is the NSA, who was caught red-handed installing gear in AT&T
> telephone exchanges to illegally spy on US citizens?  [0]

Just because noone went to prison does not mean there weren't consequences.

In this particular example, these and similar activities led to "HTTPS
Everywhere" and other encryption-by-default trends. I would expect this
to have a *dramatic* impact on the ability to collect intelligence.

> Back to my original point, the job we ask of GPG is to ensure the keys
> we admit to the keyring are owned by entity who has proved he is
> competent at maintaining packages and is compatible with Debian's social
> fabric.

I contest that. When signing a key, GPG asks me how closely I have
verified the identity of the person, and only that.

GPG and the WoT are used for far more than just Debian development.

> I can't imagine a better way of doing that then proof of work.

I can: proof of work AND identity verification. As we have now (via
advocacy and key signing).

Honestly, I get the feeling that this debate keeps getting framed as an
either/or question, and I don't understand why, when we already have both.

Nobody is advocating that the drop the proof-of-work requirement
(signatures alone do not a DD make). What's being debated is whether to
drop the identity verification requirement. A number of arguments have
been made for and against, but personally, I have found none of the
"for" arguments convincing in the slightest.

This is starting to feel like bike-shedding to me. For example, I
believe the current shortage of AMs [1] to be a far greater obstacle to
becoming a DD than the signature requirement. So let me ask this: who
exactly would benefit from dropping this requirement?

>From a quick look, I'd say that all but a dozen DD's have 3 or more
signatures, so the 2-sig-minimum requirement apparently was not a
problem for most of them (and of the remaining dozen, about half are
keys at least a decade old).

DM's require only one DD signature, and whether new contributors require
a DD signature depends entirely on the package sponsor.

> But yes, everybody is absolutely right in saying it won't stop spy
> agencies.

That doesn't mean we have to make it easier for them.

I believe I have already contributed what I can to this thread, so I
will recuse myself.

Regards,
Christian

[1] https://lists.debian.org/debian-devel-announce/2015/02/msg00001.html
Reply to: