On Sat, 28 Apr 2012 13:36:19 +1000 Allan McRae <allan@archlinux.org> wrote:
On 27/04/12 06:32, Xyne wrote:
speps wrote:
I followed the whole discussion on ML, as it is of my interest, and I must admit the Xyne presence in the Arch team was always a good point for me to assert the possibility of contributing "officially" and "anonymously" at the same time, in the hope that is not just an exception.
The meaning of identity on the Internet is still something not so defined to me through its limits, consequences and abuses. So, from the beginning of my Internet experience, I never referenced to myself through my real name/life, but using a nickname, a digital identity. This could be perceived as stupid or too paranoid for some, but for me is just a way to taste things without risking to be too much implied till the point of no return. I'm not referring to responsibilities, but to the possibility of having a choice.
The adoption of GPG Keys for signing packages intention is to prevent malicious hijacking through mirrors and to certificate their provenance, and not to identify a packager in his real life. Also, even using a "real name" is not a way to assume a real existence, since hypothetically a real life identity could be easily faked too.
As you can see I sign mails with my GPG Key, and I really do not see a real difference between mine and your or the one of another TU, since actually we do not personally know each others.
I like to think that a digital identity just deals with the reputation that comes from the quality of the work done like from the behaviours in social relations, and a nickname is enough to cover its identification.
This is just my point till now, not a way to convince someone else. I say "till now", cause this is the first time I was asked to reveal my real identity for being crucial in contributing or to be trusted.
Differently, some years ago Giovanni Scafora asked my name for including it as a contributor in a [extra] PKGBUILD (cpufrequtils) after sending him a patch. In that case I took the decision of keeping on my way.
I'll have to think about this since, as you say, probably another Xyne would be not allowed. My idea is, trying an application as simply "speps" and on a negative response taking the big decision. What do you think?
I agree with all of these points. An identity is an identity regardless of whether or not it's connected to the name your parents gave you. If you have shown yourself to be consistent and trustworthy through actions over a period of time, that should be enough. As you say, the introduction of PGP keys was to ensure that no one had tampered with the packages in transit, not to force TUs to divulge off-line (i.e. irrelevant) information. No one asked for real names before, let alone verified them. All that mattered was the quality and consistency of your contributions, and that's how it's supposed to be.
There are many legitimate reasons that one may wish to remain "anonymous". Some simply prefer privacy. Others may wish to avoid internet stalkers or worse.
Anyway, as mentioned, you can release packages without all 5 master signatures, but I still think it's silly that TUs don't automatically get all of the master key signatures... untrusted "Trusted Users" just doesn't make any sense. If the TU application process is not trusted, then it has to be changed, otherwise its nonsensical.
Btw, if you want real security and not just security theater, introduce a sign-off system for TUs. That would do far more than getting "real names".
I have no real issues with people being anonymous, but there is another issue here.
I signed "Xyne"s GPG key because despite not knowing anything in particular about "him", I have had plenty of interaction with him during his time as an Arch contributor. So I was quite sure that the Xyne I "knew" was the one I was signing a key for.
The user "speps" on the other hand, I have absolutely no idea who is. In fact, when I looked at their AUR packages, I was absolutely surprised at the number of them... I have never seen that name on IRC and there are only 5 posts on the forums for that account name. Looking at mail archives there are a bunch of AUR package deletion requests. I would have a lot of difficulty deciding to sign that key.
Allan
Hi Allan, and thanks for joining the discussion and for pointing this out, of course. You're right, we never had a conversation before, and our tasks never crossed. Time for sharing my views on communication platforms, though. As you mentioned, I only posted 5 messages on Arch Forums. Well, I've never been too much familiar with forums in general, even if I found em an useful and inalienable resource. Most of the communication related to my Arch contributions, till now, has been wonderfully covered by the AUR comments feature. Quite simple, but totally adapt for discussing about specific packages related issues, since its self-structured nature. Obviously, it also needs moderation. I systematically recommend commenters who goes OT, abuses of it starting flame-wars or just uses it wrong (eg. pasting kilo-metric logs without using a paste bin service) to follow some simple rules to let everybody live a satisfying collaboration experience. And it just mostly works. Accordingly, that's really noisy to me discovering (moths later too), some user reporting an issue with one of the build scripts I maintain on a {un,}official Arch forum, or worse, on a Arch unrelated ML. And it just happens regularly. The few times it happened and I was still in time, I contacted the reporter for joining the related AUR page. Briefly, I never had the need for posting on forums till now, finding it too generic and dispersive to be efficient in my regular tasks, like reporting discussing and resolving bugs. You'll find some bug reports opened or not by me (username archspeps; at the beginning I signed to all Arch services with this nick before changing to speps; unluckily but fairly changing username for bug tracker is not allowed). There aren't many of them though, since I usually do no report bugs without investigating enough to provide a solution too, or simply they deals with upstream bugs so I go to the source. An example of bug (an old and long one) I contributed resolving both ways is about the gimp file-uri support [1]. IRC represent my main communication platform. Yeah, IRC :) In response to all OT comments I may find on one of my AUR pages, I invite the the user for contacting me on IRC (speps @ freenode.net), since {s,}he would find me on-line and active most of the times. Someone could testify. Nevertheless, you're right. You'll rarely find me on #archlinux, since I intentionally never added it in my auto-join list. IRC channels are a great platform for discussing everything and in a immediate and efficient way. Btw, as it happens for overused and sated channels related to big projects such as a popular distribution, they may easily become a chaotic bazaar where you hardly distinguish or follow a single conversations, fancy participate. Also, being English not my first language, things becomes even more complicated, so I usually tend leaving this kind of conversations to users that are surely more quick and polished than me. Those are the reason why #archaudio or #archlinux.it are, instead, in my auto-join list. At the same time it would be surely reasonable for me being at least present on #archlinux, so more people could easily check if I'm on-line or not. So, from now and on, I promise you'll find me on #archlinux too :) Mailing lists are also part of my daily routine. I'm subscribed to all development related lists, following most of the threads. Trying to limit the amount of nested responses though, I participate exclusively when my comment would be heavily relevant or when it just dials with practices, like merge or delete requests. Also in such cases I collect as much packages as I can in those requests, and include thanks in advance. An example of what I intend for almost relevant is a contribution I sent last December on arch-multilib ML [2] about the jack2-multilib package. Probably, my Arch itinerary would be harder to trace back since my synthetic contributing style and fragmentation, absolutely antithetic to my so long explanations, of course (sorry). Btw, I'm here to help you :) Regards [1] https://bugs.archlinux.org/task/12321 [2] http://mailman.archlinux.org/pipermail/arch-multilib/2011-December/000251.ht... - speps -