On Thu, Dec 1, 2011 at 8:21 AM, Thomas Bächler <thomas@archlinux.org> wrote:
Am 01.12.2011 12:19, schrieb Xyne:
I'm in the process of getting my key signed (Pierre has signed, Thomas and Ionut should sign soon, not sure if Dan will sign due to not knowing my real name).
Dan's way isn't just about knowing the realname. He wants to verify that the name is correct.
I can't believe that we are having the identity verification discussion again, but here is what I believe: You have been elected TU (or Developer) and thus I trust your key. Knowing (or not knowing) your real name doesn't change anything. In fact, I did not verify names for anyone.
What's important to me: If I find out that you release packages that are harmful in any way, I can revoke my signature and block your packages from being installed. Knowing your real name does not make that easier, or prevent you from doing harmful things in the first place.
I do find it kind of abnormal that a TU does want to retain his real name. There may be legitimate reasons for doing this or not, I don't know. But I also have to agree with Thomas on this one. I don't think anyone has actually verified that any of the given names are real names. What's important is that you're verified that you use the key to sign your packages in case someone does get compromised or decides to go rogue, then we will have a way to easily track which packages should become void.