Am 01.12.2011 23:08, schrieb Gaetan Bisson:
[2011-12-01 09:08:39 -0600] Thomas Dziedzic:
I don't think anyone has actually verified that any of the given names are real names.
Well, actually, CAcert (which Dan relies on) is all about verifying people's actual identity, in particular their name and birth date.
And that information is useful to you because ...?
What's important is that you're verified that you use the key to sign your packages in case someone does get compromised or decides to go rogue, then we will have a way to easily track which packages should become void.
That feature was already achieved by permissions on gerolde/sigurd...
It wasn't.
The whole point of package signing is to neutralize attacks against our repositories (our servers but also third-party mirrors).
That's only part of the point. The other part is - as mentioned - the ability to revoke trust from rogue packagers.
I find Dan's verification requirements quite reasonable, and I am pleased he takes a different approach than other master key holders: what would be the point of everyone verifying the same thing?
Yes, that Xyne person (well, it could even be a group of people, for all we know) has pushed good packages to the repos, but developers and trusted users are not just package producing machines, and it doesn't strike me as odd that a distro expects a little transparency from them.
I'll ask you the same question I asked before, when we already had this discussion: What benefit does knowing someone's real identity give you? (and please, I'd really like to get an answer this time) TBH, I wish I would have chosen a pseudonym when I started doing things publicly on the internet. I wish I never would have given anyone my real name. It's too late for that now, I'm afraid.
Of course, that is only my opinion: verification policy is for each master key holder to decide individually - that's what they were entrusted with when they were selected.
We should have agreed on a common policy on this matter. It sends mixed signals when a packager is only signed by some key holders and not others. And, IMO, it is an affront to this community to reject someone who has been contributing for years.