[2011-12-01 09:08:39 -0600] Thomas Dziedzic:
I don't think anyone has actually verified that any of the given names are real names.
Well, actually, CAcert (which Dan relies on) is all about verifying people's actual identity, in particular their name and birth date.
What's important is that you're verified that you use the key to sign your packages in case someone does get compromised or decides to go rogue, then we will have a way to easily track which packages should become void.
That feature was already achieved by permissions on gerolde/sigurd... The whole point of package signing is to neutralize attacks against our repositories (our servers but also third-party mirrors). Now those inaccuracies are out of the way: I find Dan's verification requirements quite reasonable, and I am pleased he takes a different approach than other master key holders: what would be the point of everyone verifying the same thing? Yes, that Xyne person (well, it could even be a group of people, for all we know) has pushed good packages to the repos, but developers and trusted users are not just package producing machines, and it doesn't strike me as odd that a distro expects a little transparency from them. Of course, that is only my opinion: verification policy is for each master key holder to decide individually - that's what they were entrusted with when they were selected. -- Gaetan