[aur-general] TU application - speps

Allan McRae allan at archlinux.org
Fri Apr 27 23:36:19 EDT 2012

On 27/04/12 06:32, Xyne wrote:
> speps wrote:
>> I followed the whole discussion on ML, as it is of my interest,
>> and I must admit the Xyne presence in the Arch team was always a
>> good point for me to assert the possibility of contributing "officially"
>> and "anonymously" at the same time, in the hope that is not just an
>> exception.
>> The meaning of identity on the Internet is still something not so defined
>> to me through its limits, consequences and abuses.
>> So, from the beginning of my Internet experience, I never referenced to
>> myself through my real name/life, but using a nickname, a digital identity.
>> This could be perceived as stupid or too paranoid for some, but for me
>> is just a way to taste things without risking to be too much implied till
>> the point of no return. I'm not referring to responsibilities, but to the
>> possibility of having a choice.
>> The adoption of GPG Keys for signing packages intention is to prevent
>> malicious hijacking through mirrors and to certificate their provenance,
>> and not to identify a packager in his real life.
>> Also, even using a "real name" is not a way to assume a real existence,
>> since hypothetically a real life identity could be easily faked too.
>> As you can see I sign mails with my GPG Key, and I really do not see
>> a real difference between mine and your or the one of another TU, since
>> actually we do not personally know each others.
>> I like to think that a digital identity just deals with the reputation
>> that comes from the quality of the work done like from the behaviours in
>> social relations, and a nickname is enough to cover its identification.
>> This is just my point till now, not a way to convince someone else.
>> I say "till now", cause this is the first time I was asked to reveal
>> my real identity for being crucial in contributing or to be trusted.
>> Differently, some years ago Giovanni Scafora asked my name for including
>> it as a contributor in a [extra] PKGBUILD (cpufrequtils) after sending
>> him a patch. In that case I took the decision of keeping on my way.
>> I'll have to think about this since, as you say, probably another
>> Xyne would be not allowed.
>> My idea is, trying an application as simply "speps" and on a negative
>> response taking the big decision. What do you think?
> I agree with all of these points. An identity is an identity regardless of
> whether or not it's connected to the name your parents gave you. If you have
> shown yourself to be consistent and trustworthy through actions over a period
> of time, that should be enough. As you say, the introduction of PGP keys was to
> ensure that no one had tampered with the packages in transit, not to force TUs
> to divulge off-line (i.e. irrelevant) information. No one asked for real names
> before, let alone verified them. All that mattered was the quality and
> consistency of your contributions, and that's how it's supposed to be.
> There are many legitimate reasons that one may wish to remain "anonymous". Some
> simply prefer privacy. Others may wish to avoid internet stalkers or worse.
> Anyway, as mentioned, you can release packages without all 5 master signatures,
> but I still think it's silly that TUs don't automatically get all of the master
> key signatures... untrusted "Trusted Users" just doesn't make any sense. If the
> TU application process is not trusted, then it has to be changed, otherwise its
> nonsensical.
> Btw, if you want real security and not just security theater, introduce a
> sign-off system for TUs. That would do far more than getting "real names".

I have no real issues with people being anonymous, but there is another
issue here.

I signed "Xyne"s GPG key because despite not knowing anything in
particular about "him", I have had plenty of interaction with him during
his time as an Arch contributor.  So I was quite sure that the Xyne I
"knew" was the one I was signing a key for.

The user "speps" on the other hand, I have absolutely no idea who is. In
fact, when I looked at their AUR packages, I was absolutely surprised at
the number of them...  I have never seen that name on IRC and there are
only 5 posts on the forums for that account name.  Looking at mail
archives there are a bunch of AUR package deletion requests.  I would
have a lot of difficulty deciding to sign that key.


More information about the aur-general mailing list