On 27/04/12 06:32, Xyne wrote:
speps wrote:
I followed the whole discussion on ML, as it is of my interest, and I must admit the Xyne presence in the Arch team was always a good point for me to assert the possibility of contributing "officially" and "anonymously" at the same time, in the hope that is not just an exception.
The meaning of identity on the Internet is still something not so defined to me through its limits, consequences and abuses. So, from the beginning of my Internet experience, I never referenced to myself through my real name/life, but using a nickname, a digital identity. This could be perceived as stupid or too paranoid for some, but for me is just a way to taste things without risking to be too much implied till the point of no return. I'm not referring to responsibilities, but to the possibility of having a choice.
The adoption of GPG Keys for signing packages intention is to prevent malicious hijacking through mirrors and to certificate their provenance, and not to identify a packager in his real life. Also, even using a "real name" is not a way to assume a real existence, since hypothetically a real life identity could be easily faked too.
As you can see I sign mails with my GPG Key, and I really do not see a real difference between mine and your or the one of another TU, since actually we do not personally know each others.
I like to think that a digital identity just deals with the reputation that comes from the quality of the work done like from the behaviours in social relations, and a nickname is enough to cover its identification.
This is just my point till now, not a way to convince someone else. I say "till now", cause this is the first time I was asked to reveal my real identity for being crucial in contributing or to be trusted.
Differently, some years ago Giovanni Scafora asked my name for including it as a contributor in a [extra] PKGBUILD (cpufrequtils) after sending him a patch. In that case I took the decision of keeping on my way.
I'll have to think about this since, as you say, probably another Xyne would be not allowed. My idea is, trying an application as simply "speps" and on a negative response taking the big decision. What do you think?
I agree with all of these points. An identity is an identity regardless of whether or not it's connected to the name your parents gave you. If you have shown yourself to be consistent and trustworthy through actions over a period of time, that should be enough. As you say, the introduction of PGP keys was to ensure that no one had tampered with the packages in transit, not to force TUs to divulge off-line (i.e. irrelevant) information. No one asked for real names before, let alone verified them. All that mattered was the quality and consistency of your contributions, and that's how it's supposed to be.
There are many legitimate reasons that one may wish to remain "anonymous". Some simply prefer privacy. Others may wish to avoid internet stalkers or worse.
Anyway, as mentioned, you can release packages without all 5 master signatures, but I still think it's silly that TUs don't automatically get all of the master key signatures... untrusted "Trusted Users" just doesn't make any sense. If the TU application process is not trusted, then it has to be changed, otherwise its nonsensical.
Btw, if you want real security and not just security theater, introduce a sign-off system for TUs. That would do far more than getting "real names".
I have no real issues with people being anonymous, but there is another issue here. I signed "Xyne"s GPG key because despite not knowing anything in particular about "him", I have had plenty of interaction with him during his time as an Arch contributor. So I was quite sure that the Xyne I "knew" was the one I was signing a key for. The user "speps" on the other hand, I have absolutely no idea who is. In fact, when I looked at their AUR packages, I was absolutely surprised at the number of them... I have never seen that name on IRC and there are only 5 posts on the forums for that account name. Looking at mail archives there are a bunch of AUR package deletion requests. I would have a lot of difficulty deciding to sign that key. Allan