[aur-general] GPG Key Signing

Thomas Bächler thomas at archlinux.org
Fri Dec 2 01:59:10 EST 2011 

Am 01.12.2011 23:08, schrieb Gaetan Bisson:
> [2011-12-01 09:08:39 -0600] Thomas Dziedzic:
>> I don't think anyone has actually verified that any of the given names
>> are real names.
> 
> Well, actually, CAcert (which Dan relies on) is all about verifying
> people's actual identity, in particular their name and birth date.

And that information is useful to you because ...?

>> What's important is that you're verified that you use the key to sign
>> your packages in case someone does get compromised or decides to go
>> rogue, then we will have a way to easily track which packages should
>> become void.
> 
> That feature was already achieved by permissions on gerolde/sigurd...

It wasn't.

> The whole point of package signing is to neutralize attacks against our
> repositories (our servers but also third-party mirrors).

That's only part of the point. The other part is - as mentioned - the
ability to revoke trust from rogue packagers.

> I find Dan's verification requirements quite reasonable, and I am
> pleased he takes a different approach than other master key holders:
> what would be the point of everyone verifying the same thing?
> 
> Yes, that Xyne person (well, it could even be a group of people, for all
> we know) has pushed good packages to the repos, but developers and
> trusted users are not just package producing machines, and it doesn't
> strike me as odd that a distro expects a little transparency from them.

I'll ask you the same question I asked before, when we already had this
discussion: What benefit does knowing someone's real identity give you?
(and please, I'd really like to get an answer this time)

TBH, I wish I would have chosen a pseudonym when I started doing things
publicly on the internet. I wish I never would have given anyone my real
name. It's too late for that now, I'm afraid.

> Of course, that is only my opinion: verification policy is for each
> master key holder to decide individually - that's what they were
> entrusted with when they were selected.

We should have agreed on a common policy on this matter. It sends mixed
signals when a packager is only signed by some key holders and not
others. And, IMO, it is an affront to this community to reject someone
who has been contributing for years.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20111202/ce3d0620/attachment.asc>

More information about the aur-general mailing list