Oliver Elphick wrote: > > Anand Kumria wrote: > >I don't know when you asked Dale but the procedures are quite clear that > >"An image file of an appropriate piece of photo-identification" (from > ><URL: http://www.debian.org/devel/join/nm-step2> is required. > > Yes! We want (as a group) to see the id. The fact that a developer has > signed the key means we don't need to take any further steps to verify > that the id belongs to the applicant (in other words, we DO trust > developers to follow proper procedures when signing keys). > > Why do you have such a big problem with the idea of supplying ids? > (which Debian has required at least since 1996/7 when I joined.)
I don't think that Anand has a problem with supplying ID. I think his objection is to making a requirement of supplying ID two different, redundant ways: 1) when showing ID to a Developer, who shall subsequently sign the applicants public key(s), and 2) sending in a pic, the file of which is signed with a verifiable key. When I applied, and read the steps to take, I interpreted the instructions to mean IF I couldn't meet with a Developer to verify my identity, THEN send in a photo id, the file being signed, with the former being the preferable method to close the "eyeball loop", and the latter being a grudgingly accepted alternate method. I'm slightly surprised to find either a change, or that I was mistaken, as I've taken no steps to scan in a photo of myself. However, I have no problem with it; I plan on purchasing a SANE-supported scanner, anyhow. Nevertheless, I find that the scanned & signed photo, as described in recent traffic, as opposed to the prior legal picture ID requirement, to be less useful: what's going to prevent someone from scanning in a picture of anyone, signing and sending it? How're you going to verify that it is the pic of the sender? For that matter, even using DL's and PP's are not reliable in scanned format, since the pic can be hacked with the GIMP. One stated need is for security: how else could there be a holding responsible if there is no scanned ID? What if a Trojan is uploaded? How will Debian protect itself? Unless these photo IDs are being collected to assist LEOs, scanned photos will afford no protection. If these are going to be, effectively, mugshots,for the reason above, this is useless. Debian has to rely on the No Warranty clauses of the licenses of the software distributed. I recommend _asking_ for scanned photos, not making it a requirement, except as alternative to physically and visibly meeting a "well known" (i.e. Developer as) signatory. In fact, I think it would be cool to have a page with thumbnails to the pics of _every_ Developer. However, if it remains a requirement, in addition to having my keys signed by _two_ different Developers, so be it; I'll jump through whatever hoops are necessary. I am Wannabe; Hear me roar, in too many decibels to ignore, until I make my AM understand: >Hunh<!? Oh, sorry, Helen... -- [EMAIL PROTECTED] 972-729-5387 [EMAIL PROTECTED] (home ph. on Q) http://www.koyote.com/users/bolan RE: xmailtool http://www.koyote.com/users/bolan/xmailtool/index.html RMS of Borg: "Resistance is futile; you shall be freed."
