Re: Why are in-person meetings required for the debian keyring?
>>>>> "Nikolaus" == Nikolaus Rath <Nikolaus@rath.org> writes:
Nikolaus> However, it seems to me that meeting someone in person
Nikolaus> isn't actually verifying the relevant identity here. My
Nikolaus> trust in a Debian developer is not based on him holding a
Nikolaus> particular legal name, it is in his history of
Nikolaus> contributions. In other words: just because I'm sure about
Nikolaus> someone's legal name, I wouldn't trust him to run code on
Nikolaus> my computer. But if someone has been contributing to
Nikolaus> Debian for 5 years with a specific GPG key, I'd probably
Nikolaus> trust him to prepare a package no matter if the name
Nikolaus> associated with the GPG key actually corresponds to some
Nikolaus> legal identity or not.
There are lots of types of trust involved.
I definitely think past contributions is part of it.
However, I also thing it's desirable that we have some probability of
being able to engage a legal process if we needed to. Imagine someone
intentionally uploaded some compromised software to Debian with the
purpose of harming our users/turning debian machines into bots/etc.
That's something we should not stand for, and being able to respond to
that sort of thing in the legal system does have to do with a binding to
a particular legal identity.
An in-person meeting is neither necessary nor sufficient for that sort
of legal binding, but I suspect in a number of cases it would help
significantly.
--Sam
Reply to: