Re: Keysigning in times of COVID-19
On Thu, 2020-08-20 at 10:05 +0200, Philip Hands wrote:
> Conjuring up a "mallicious DD" seems to carry with it the assumption
> that only bad people do bad things, which seems naive to me.
>
> This conversation reminds me of the trade-offs involved in airport
> security.
>
> One can decide to spend money on security theatre (e.g. expensive
> scanners) or general resilience (e.g. more ambulances and emergency
> responders)
The number of airplane hijackings has gone down significantly[1] while
the amount of air travel has increased by a lot (passenger-kilometers
per year by more than factor 10 or so between 1970 and 2010 from some
graph I found). So it seems to be effective.
Maybe the "security theater" even pays for itself given planes are
fairly expensive? :-)
[1]: https://www.statista.com/chart/4560/airliner-hijackings-have-become-rare-events/
> In this situation, tightening up our proceedures regarding keys strikes
> me as much closer to the security theater end of the spectrum, while
> efforts like Reproducible Builds are at the general resilience end.
One could just do both. I think I have seen, for example, automated
external defibrillators in public buildings like airports.
> If I were a sociopath contemplating sabotage in the Free Software
> sphere, going to the effort of becoming a DD, even for the first time,
> would be nowhere near the top of my list.
>
> Does DAM actually have any cases at all where they suspect a previously
> expelled DD of trying to sneak back into the project under a new ID?
>
> If not, then either our proceedures are already broken enough that
> temproarily slackening keysigning protocols won't make the slightest
> difference, or the threat is probably not worth worrying about.
If a fire alarm wasn't triggered by a fire for some time, should it be
removed? Maybe the procedures just work reasonably well.
Ansgar
Reply to: