[aur-general] GPG Key Signing

[Gaetan Bisson]

[2011-12-02 07:59:10 +0100] Thomas Bächler:
> Am 01.12.2011 23:08, schrieb Gaetan Bisson:
> > [2011-12-01 09:08:39 -0600] Thomas Dziedzic:
> >> I don't think anyone has actually verified that any of the given names
> >> are real names.
> > 
> > Well, actually, CAcert (which Dan relies on) is all about verifying
> > people's actual identity, in particular their name and birth date.
> 
> And that information is useful to you because ...?

Your question is irrelevant here. I was just asserting that, yes, the
names of certain devs have actually been verified.

> >> What's important is that you're verified that you use the key to sign
> >> your packages in case someone does get compromised or decides to go
> >> rogue, then we will have a way to easily track which packages should
> >> become void.
> > 
> > That feature was already achieved by permissions on gerolde/sigurd...
> 
> It wasn't.

Yes, it was.

> > The whole point of package signing is to neutralize attacks against our
> > repositories (our servers but also third-party mirrors).
> 
> That's only part of the point. The other part is - as mentioned - the
> ability to revoke trust from rogue packagers.

No. From that standpoint, package signing does nothing more than
permissions on gerolde/sigurd - as mentioned.

> I'll ask you the same question I asked before, when we already had this
> discussion: What benefit does knowing someone's real identity give you?
> (and please, I'd really like to get an answer this time)

You had an answer (actually, several answers, and not just from me) last
time - it's just that you didn't like them so you chose to ignore them,
but they're still all in your email archives.

(See, I can be disagreeable too.)

-- 
Gaetan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20111202/24f713e0/attachment.asc>