[aur-general] GPG Key Signing
bisson at archlinux.org
Fri Dec 2 02:52:11 EST 2011
[2011-12-02 07:59:10 +0100] Thomas Bächler:
> Am 01.12.2011 23:08, schrieb Gaetan Bisson:
> > [2011-12-01 09:08:39 -0600] Thomas Dziedzic:
> >> I don't think anyone has actually verified that any of the given names
> >> are real names.
> > Well, actually, CAcert (which Dan relies on) is all about verifying
> > people's actual identity, in particular their name and birth date.
> And that information is useful to you because ...?
Your question is irrelevant here. I was just asserting that, yes, the
names of certain devs have actually been verified.
> >> What's important is that you're verified that you use the key to sign
> >> your packages in case someone does get compromised or decides to go
> >> rogue, then we will have a way to easily track which packages should
> >> become void.
> > That feature was already achieved by permissions on gerolde/sigurd...
> It wasn't.
Yes, it was.
> > The whole point of package signing is to neutralize attacks against our
> > repositories (our servers but also third-party mirrors).
> That's only part of the point. The other part is - as mentioned - the
> ability to revoke trust from rogue packagers.
No. From that standpoint, package signing does nothing more than
permissions on gerolde/sigurd - as mentioned.
> I'll ask you the same question I asked before, when we already had this
> discussion: What benefit does knowing someone's real identity give you?
> (and please, I'd really like to get an answer this time)
You had an answer (actually, several answers, and not just from me) last
time - it's just that you didn't like them so you chose to ignore them,
but they're still all in your email archives.
(See, I can be disagreeable too.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 230 bytes
Desc: not available
More information about the aur-general