Re: Why are in-person meetings required for the debian keyring?
On 2015-02-15 11:55, Russell Stuart wrote:
> On Fri, 2015-02-13 at 15:14 +0000, Ian Jackson wrote:
>> There are organisations with plenty of money, who would perhaps like
>> to infiltrate us, but for whom risk of exposure is the biggest cost of
>> trying.
>
> Which organisations would that be?
>
> It is the NSA, who was caught red-handed installing gear in AT&T
> telephone exchanges to illegally spy on US citizens? [0]
Just because noone went to prison does not mean there weren't consequences.
In this particular example, these and similar activities led to "HTTPS
Everywhere" and other encryption-by-default trends. I would expect this
to have a *dramatic* impact on the ability to collect intelligence.
> Back to my original point, the job we ask of GPG is to ensure the keys
> we admit to the keyring are owned by entity who has proved he is
> competent at maintaining packages and is compatible with Debian's social
> fabric.
I contest that. When signing a key, GPG asks me how closely I have
verified the identity of the person, and only that.
GPG and the WoT are used for far more than just Debian development.
> I can't imagine a better way of doing that then proof of work.
I can: proof of work AND identity verification. As we have now (via
advocacy and key signing).
Honestly, I get the feeling that this debate keeps getting framed as an
either/or question, and I don't understand why, when we already have both.
Nobody is advocating that the drop the proof-of-work requirement
(signatures alone do not a DD make). What's being debated is whether to
drop the identity verification requirement. A number of arguments have
been made for and against, but personally, I have found none of the
"for" arguments convincing in the slightest.
This is starting to feel like bike-shedding to me. For example, I
believe the current shortage of AMs [1] to be a far greater obstacle to
becoming a DD than the signature requirement. So let me ask this: who
exactly would benefit from dropping this requirement?
>From a quick look, I'd say that all but a dozen DD's have 3 or more
signatures, so the 2-sig-minimum requirement apparently was not a
problem for most of them (and of the remaining dozen, about half are
keys at least a decade old).
DM's require only one DD signature, and whether new contributors require
a DD signature depends entirely on the package sponsor.
> But yes, everybody is absolutely right in saying it won't stop spy
> agencies.
That doesn't mean we have to make it easier for them.
I believe I have already contributed what I can to this thread, so I
will recuse myself.
Regards,
Christian
[1] https://lists.debian.org/debian-devel-announce/2015/02/msg00001.html
Reply to: