[aur-general] TU application - speps

[Xyne]

speps wrote:

> I followed the whole discussion on ML, as it is of my interest,
> and I must admit the Xyne presence in the Arch team was always a
> good point for me to assert the possibility of contributing "officially"
> and "anonymously" at the same time, in the hope that is not just an
> exception.
> 
> The meaning of identity on the Internet is still something not so defined
> to me through its limits, consequences and abuses.
> So, from the beginning of my Internet experience, I never referenced to
> myself through my real name/life, but using a nickname, a digital identity.
> This could be perceived as stupid or too paranoid for some, but for me
> is just a way to taste things without risking to be too much implied till
> the point of no return. I'm not referring to responsibilities, but to the
> possibility of having a choice.
> 
> The adoption of GPG Keys for signing packages intention is to prevent
> malicious hijacking through mirrors and to certificate their provenance,
> and not to identify a packager in his real life.
> Also, even using a "real name" is not a way to assume a real existence,
> since hypothetically a real life identity could be easily faked too.
> 
> As you can see I sign mails with my GPG Key, and I really do not see
> a real difference between mine and your or the one of another TU, since
> actually we do not personally know each others.
> 
> I like to think that a digital identity just deals with the reputation
> that comes from the quality of the work done like from the behaviours in
> social relations, and a nickname is enough to cover its identification.
> 
> This is just my point till now, not a way to convince someone else.
> I say "till now", cause this is the first time I was asked to reveal
> my real identity for being crucial in contributing or to be trusted.
> 
> Differently, some years ago Giovanni Scafora asked my name for including
> it as a contributor in a [extra] PKGBUILD (cpufrequtils) after sending
> him a patch. In that case I took the decision of keeping on my way.
> 
> I'll have to think about this since, as you say, probably another
> Xyne would be not allowed.
> My idea is, trying an application as simply "speps" and on a negative
> response taking the big decision. What do you think?

I agree with all of these points. An identity is an identity regardless of
whether or not it's connected to the name your parents gave you. If you have
shown yourself to be consistent and trustworthy through actions over a period
of time, that should be enough. As you say, the introduction of PGP keys was to
ensure that no one had tampered with the packages in transit, not to force TUs
to divulge off-line (i.e. irrelevant) information. No one asked for real names
before, let alone verified them. All that mattered was the quality and
consistency of your contributions, and that's how it's supposed to be.

There are many legitimate reasons that one may wish to remain "anonymous". Some
simply prefer privacy. Others may wish to avoid internet stalkers or worse.

Anyway, as mentioned, you can release packages without all 5 master signatures,
but I still think it's silly that TUs don't automatically get all of the master
key signatures... untrusted "Trusted Users" just doesn't make any sense. If the
TU application process is not trusted, then it has to be changed, otherwise its
nonsensical.

Btw, if you want real security and not just security theater, introduce a
sign-off system for TUs. That would do far more than getting "real names".