[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian OpenPGP audit log

+debian-project, debian-private -> bcc
Daniel Kahn Gillmor wrote:
> On Tue 2017-10-10 15:22:06 +0200, Enrico Zini wrote:

>> To me it would be already a big step forward to make Debian workflows
>> auditable, so anyone can have a look at what other people are doing.
>> Contributions are generally all in the open, but it's pretty hard to
>> collate them all into a single audit log that one can look at.
>> I would find such a thing useful also to audit myself, to see if things
>> are being done in my name that I am now aware of.
> I would also like this, for my own keys, and for the keys that i really
> depend on (like the archive signing key, for example).
> A likely approach would be similar to the "certificate transparency"
> model, where a signature from a public key isn't accepted unless/until
> it has been logged publicly someplace.  This creates an incentive to
> log, and the log itself provides the transparency needed to make it
> *possible* to audit.
> If anyone is interested in working on this, i'd be happy to talk more
> about it further -- there are several designs in the "binary
> transparency" space that take this approach, and it would be great if
> debian could lead the way.
> sadly, i lack the time to implement this myself right now.
>> (all my reply can be quoted on a public list)
> same with mine.
>      --dkg


Reply to: