[2011-12-02 07:59:10 +0100] Thomas Bächler:
Am 01.12.2011 23:08, schrieb Gaetan Bisson:
[2011-12-01 09:08:39 -0600] Thomas Dziedzic:
I don't think anyone has actually verified that any of the given names are real names.
Well, actually, CAcert (which Dan relies on) is all about verifying people's actual identity, in particular their name and birth date.
And that information is useful to you because ...?
Your question is irrelevant here. I was just asserting that, yes, the names of certain devs have actually been verified.
What's important is that you're verified that you use the key to sign your packages in case someone does get compromised or decides to go rogue, then we will have a way to easily track which packages should become void.
That feature was already achieved by permissions on gerolde/sigurd...
It wasn't.
Yes, it was.
The whole point of package signing is to neutralize attacks against our repositories (our servers but also third-party mirrors).
That's only part of the point. The other part is - as mentioned - the ability to revoke trust from rogue packagers.
No. From that standpoint, package signing does nothing more than permissions on gerolde/sigurd - as mentioned.
I'll ask you the same question I asked before, when we already had this discussion: What benefit does knowing someone's real identity give you? (and please, I'd really like to get an answer this time)
You had an answer (actually, several answers, and not just from me) last time - it's just that you didn't like them so you chose to ignore them, but they're still all in your email archives. (See, I can be disagreeable too.) -- Gaetan