On Mon, May 23, 2022 at 6:28 PM Adam McKenna <adam@flounder.net> wrote:
>
> > i believe the answer is in the question. debian is based on distributed trust. i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is itself GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate.
>
> This is not an answer to the question though, OP was asking how we prevent abuse of that trust.
reputation, and potentially criminal and civil proceedings.
all identities are known, and inviolate-known [through the
above-described chain].
anyone stupid enough to abuse their position may only do so once, at which
point their GPG key is revoked.
given that GPG key-signing parties require people's real-world identities
to be known, it is easy to track down who signed whose key (it's right
there in the keyring-archive], and request that the signer provide assistance
to the relevant authorities in proving that real-world identity.
this will sufficiently piss off those people that trusted them that they will
be unlikely to work with them ever again [reputation]
in addition there is the Debian Trademark which if brought into disrepute
through abuse could be utilised to seek damages against the perpetrator.
bottom line is that it would be a spectacularly stupid thing to do to violate
the trust and responsibility of being a Debian Maintainer, and the really
interesting bit to me is that this all works in an entirely distributed manner
and can all entirely be done entirely without a single centralised authority,
i.e. *not* having to trust f*****g google or f*****g github with anyone's
real-world identity in any way shape or form.
l.