Re: Keysigning in times of COVID-19
On Mon, Aug 17, 2020 at 08:39:02PM +0200, Jonas Smedegaard wrote:
> Quoting Federico Ceratto (2020-08-17 20:17:49)
> > On Thu, Aug 6, 2020 at 5:40 PM Roberto C. Sánchez <roberto@debian.org> wrote:
> > > Perhaps instead of requiring "a valid DD signature" as the basis for
> > > "important" project actions (e.g., uploading to the archive), we should
> > > consider rather "degree of trust associated with a collection of one or
> > > more signatures".
> >
> > Forking the conversation a bit, I'm wondering what is the real threat
> > that we want to mitigate.
> > I guess the main one is: "a malicious DD uploads a package containing
> > a backdoor"
>
> Also: "a malicious DD votes twice"
If the term "malicious DD" is reasonable, we have a bigger problem than "votes
twice" or "uploads a backdoor".
aka, "a malicious DD exists" is already a problem.
--
To the thief who stole my anti-depressants: I hope you're happy
-- seen somewhere on the Internet on a photo of a billboard
Reply to: