Quoting Alexandre Viau (2020-08-07 05:44:34) > On 2020-08-06 11:54 a.m., Enrico Zini wrote: > > What do you think could be alternative key signing policies, that would > > be acceptable to you, that would not require traveling and meeting face > > to face? > > Hello Enrico :) > > Thank you for bringing this up. > > On 2020-08-06 1:26 p.m., Johannes Schauer wrote: > > So in my opinion (and please correct my assumptions if they are > > wrong), an acceptable key signing policy would also be one, where a > > prospective DM has shown over several months to produce work that is > > always signed with the same key and maybe even communicated (for > > example via email, maybe even encrypted) using that GPG key. > > This makes sense. > > Whoever advocated for me to become a DD advocated for the person that > was signing patches with E301 54F5 429F FBB9 B22E 49C2 DA82 830E 3CCC > 3A3A. They had never met me. It didn't matter. My key was added to the > keyring because whoever was signing emails and uploaded with that key > seemed to care enough about Debian and seemed to produce work that is > good enough to be let in the archive. > > There were also DD signatures on my key at the time, but none of them > had worked with me. They only loosely verified that the awkward guy at > the coffee shop received or intercepted emails sent at > alexandre@alexandreviau.net. > > I have recently advocated for somebody to become DM. I have some > indirect connection with him in the real world, but I have never met > him in person. Having his key signed is blocking his NM DM process. > > I am sure that I "know" this guy. He signs all of his messages with > the same PGP key. He signs all of his patches with the same PGP key. > He cares about Debian. He asks good questions. If we meet at DebConf, > I'll be able to tell that its him. I'll point him to you guys so that > you know who he is. > > We will organize a video call, just to meet outside of emails, but I > won't verify his ID, and I will sign his key so that we can move > forward. > > Feel free to attribute whatever value that you want to that signature. > I think that given my history with that person it holds much more > values than the 2-minutes KSP ones. Advocacy and autenticity are separate things. I can vouch for the person in control of E301 54F5 429F FBB9 B22E 49C2 DA82 830E 3CCC 3A3A regarding quality of Debian work and understanding of Debian spirit, when I have seen some work and some personal reflections signed by that identifier. I can autenticate the person in control of E301 54F5 429F FBB9 B22E 49C2 DA82 830E 3CCC 3A3A when I somehow gain confidence of who that person is - maybe through signed work and reflections, maybe through governmental papers, maybe through physical/audio/video presence - more likely through a combination of most possible of those. It is important for Debian that all members meat a certain level of competences and concensus of spirit (on Debian matters only). ...but it is also important for Debian that members each are represented through a single identifier - not multiple. If only looking at work and reflections, I'd argue that it would be much much harder to notice if E301 54F5 429F FBB9 B22E 49C2 DA82 830E 3CCC 3A3A was controlled not by an independent person but e.g. me. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature