[aur-general] GPG Key Signing
thomas at archlinux.org
Fri Dec 2 01:59:10 EST 2011
Am 01.12.2011 23:08, schrieb Gaetan Bisson:
> [2011-12-01 09:08:39 -0600] Thomas Dziedzic:
>> I don't think anyone has actually verified that any of the given names
>> are real names.
> Well, actually, CAcert (which Dan relies on) is all about verifying
> people's actual identity, in particular their name and birth date.
And that information is useful to you because ...?
>> What's important is that you're verified that you use the key to sign
>> your packages in case someone does get compromised or decides to go
>> rogue, then we will have a way to easily track which packages should
>> become void.
> That feature was already achieved by permissions on gerolde/sigurd...
> The whole point of package signing is to neutralize attacks against our
> repositories (our servers but also third-party mirrors).
That's only part of the point. The other part is - as mentioned - the
ability to revoke trust from rogue packagers.
> I find Dan's verification requirements quite reasonable, and I am
> pleased he takes a different approach than other master key holders:
> what would be the point of everyone verifying the same thing?
> Yes, that Xyne person (well, it could even be a group of people, for all
> we know) has pushed good packages to the repos, but developers and
> trusted users are not just package producing machines, and it doesn't
> strike me as odd that a distro expects a little transparency from them.
I'll ask you the same question I asked before, when we already had this
discussion: What benefit does knowing someone's real identity give you?
(and please, I'd really like to get an answer this time)
TBH, I wish I would have chosen a pseudonym when I started doing things
publicly on the internet. I wish I never would have given anyone my real
name. It's too late for that now, I'm afraid.
> Of course, that is only my opinion: verification policy is for each
> master key holder to decide individually - that's what they were
> entrusted with when they were selected.
We should have agreed on a common policy on this matter. It sends mixed
signals when a packager is only signed by some key holders and not
others. And, IMO, it is an affront to this community to reject someone
who has been contributing for years.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 900 bytes
Desc: OpenPGP digital signature
More information about the aur-general