On 2020-08-13 at 17:57 +0200, Adam Borowski wrote: > On Thu, Aug 13, 2020 at 02:59:59AM +0200, Ángel wrote: > > as there would be an external motivation to do that which is financing > > such activity. Please note that by 'company' I am not meaning just > > business entities, but also three letter agencies, nation states, > > malicious hacker groups, mafia... > > Even ignoring the (likely) ability of such groups to get a passport > > under a name different than the one given at birth to an individual, > > it seems they would have little trouble to produce a new identity to > > present to Debian. I assume they would probably only have a few people > > on payroll with the required expertise tasked to infiltrate into the > > project, *however* it would be very easy to let them assume online the > > identity of any other employee (such as a non-technical receptionist), > > which would be plenty if compared to the number of "ghosthacker > > developers". > > I don't get where people get the feeling that producing a passport would > require a TLA/nation state/organized crime/etc. You can get one for > peanuts. > > I've been offered one once, and I inquired about the details -- for just > ~$25 (100PLN) the guy claimed it's done on original booklet, etc. That's > stuff for fooling actual government officials. No need to sacrifice that > whole $25 to get a fake for Debian purposes, though -- no one among us can > tell apart one booklet/card with a badly-made photo from another. > > Waving a passport or similar id offers laughable security. > > > Meow. Hi Please note that my point was that any determined 'company' could get multiple identities signed, without even involving crafting new passports or identity cards, which of course would also be within their reach. Would a TLA/nation state/organized crime/etc. be interested in being able to compromise Debian hosts? Sure. Amongst them, some would try hard for plausible deniability, while others directly don't care. If the keysigning is expected to protect (to a certain point) against this, it's a scenario to take into account, uncomfortable as it is. It might be possible that there is a better solution for that that could be included, or that it is determined that the system is fallible yet we don't have anything better so far to use. It is thus important to define what is expected from this step of the process. Best regards
Attachment:
signature.asc
Description: This is a digitally signed message part