Re: [Debconf-discuss] GPG keysigning?
On Fri, Jun 19, 2009 at 09:37:57PM +0300, Eddy Petrișor wrote: > Before the KSP, thanks to your old posts I decided I would only sign > keys for people that I at least saw (talked to) once before and who > appeared to be who they claimed to be in the view of the other > people present there. OTOH, for people visibly chasing signatures or > being sloppy when checking the ID or not even looking at me, I > decided I will not sign their keys. Maybe I'm a strange bird here, but I really can't say I agree with the arguments made here against signing keys after verifying government issued passports. I think having verified a government-issued passport (that looks authentic enough) and that the bearer resembles enough the photo on that passport is much better than not having a well connected web of trust. If we want to get into the paranoid realm of some kind of government agents who aren't who they claim to be, I think they will find a way inside such an open project as Debian no matter what the key signing policies of people. The point is, my signature is good for a declaration that I have verified the passport of a person and compared the photo to the face. Whether someone then trusts that signature or not (and to what extent) is of course their decision, but if I only signed keys of people I know since childhood, it would make the web of trust much weaker and trust paths to other people who I don't know very long with lots of signatures from people who I don't know for no real benefit. > Some of those people decided to sign my key although I had no > contact with them before or after the KSP. > > IMO, *that* is plain wrong! It's exactly what I consider good policy, if your ID looks good enough. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] GPG keysigning?
On Tue, Jun 23, 2009 at 10:43:53AM -0700, Don Armstrong wrote: > Perhaps it would be good enough to have the public checksum-checking > part of the keysigning party very early on in Debconf, and then do the > signing later on during meals, where there would be an opportunity for > more informal interaction to establish identity, etc. beyond the 20 > seconds or so that you have during a mass keysigning. That's a compromise of some kind. I don't think it's necessary the best possible compromise, though. There seem to be two conflicting needs here, which both seem to me to have some importance: a) That the ID check needs to be more than casual, and the nature of a mass key signing party often results in lax checks; b) That a strong WOT is a strongly connected WOT, with lots of (proper) signatures. Judging some of the POVs presented on this list, I probably give quite a bit more weight to (b) than some others here, but in no way think that proper ID checks should not be done (a signature in itself is not valuable if it doesn't certify anything). It's all about the balance really, but personally I do think having a sparse WOT is a bigger problem than lax ID checks in reality among the kind of technologically knowledgeable people like those attending Debconf (or even those using PGP). Really, which one is more assuring, a) that I personally know a person A whom I trust and who has verified the government-issued ID of a person X, whose signature I need to be able to trust; or b) that I personally know a person A, whom I trust, and trust that he knows well some person B, whom I do not know, and there's some kind of assumed knows-well chain A->B->C->D->E->X where I really have no good idea who B..E are? Some POVs expressed here seem to me to ignore the problems of (b) completely. Even given the trust model which seems to be encouraged by the current GPG implementation, the E's signature on X's key would not be assigned any value unless I trust E and consider his key valid. And there's bound to be a long degree of separation between two random people if the relation is "knows well" instead of "has checked ID". But if I know and trust A, I can presume that X is X with a good certainty given A's signature on X's key. That's why a strong WOT is important, and that's just plain incompatible with "signing keys of people you don't know is just wrong!". (On a side note, I consider "knows well but hasn't checked the ID" in many respects a weaker, not a stronger, check than "has checked the ID".) > It may also be useful to put on people's nametags some sort of > indication that they plan to participate in the keysigning so people > know whether to ask about it during meals. [It'd probably also help to > distribute people more randomly during meals.] I'd still prefer some kind of more organized thing to exchange IDs and signatures, precisely because a strongly connected WOT is so important. I don't say it needs to be a tiresome 3 hour session in a parking lot. What then, I don't know, but I think the best thing for the WOT still is to get as many people as possible to verify each other's IDs and sign each other's keys. Perhaps something like many short, only semi-official sessions in different days? Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] About selling OpenPGP cards in debconf9
On Tue, Jun 23, 2009 at 09:18:43PM +0200, Luca Capello wrote: > AFAIK no one has talked about OpenPGP cards since DebConf8, where I had > some spare OpenPGP cards (with reader) to sell: I think OpenPGP cards that support larger RSA than 1024 bit still don't exist? It's slowly starting to be a concern. Other than that, such a card would be nice to have. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
On Tue, Jun 23, 2009 at 07:55:57PM -0700, Don Armstrong wrote: > On Tue, 23 Jun 2009, Russ Allbery wrote: > > For example, I think US drivers' licenses are only verifiable by > > someone who's lived in that state or otherwise seen drivers' > > licenses from that state. > > Nah; there's a guide published[1] which has all of them. [If you're a > bar tender or a notary, you have to be able to check them.] But from an international POV I don't know if that's very useful. Would you accept 50 different IDs issued by, say, Portugal, in a KSP? Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Condensed keylist to print out
On Thu, Jul 16, 2009 at 11:58:58AM +0200, Joachim Breitner wrote: > I also tried to generate a graph of the current signatures as on > http://people.debian.org/~nomeata/debconf8-signing-party/debconf8-before.png > but it seems it’s too large this time: > > $ cat gen-before.sh > gpg --no-default-keyring --keyring ./debconf9-before.gpg --list-sigs > $( $ ./gen-before.sh > [..] > fdp: failure to create cairo surface: out of memory > ./gen-before.sh: line 1: 6924 Donegpg > --no-default-keyring --keyring ./debconf9-before.gpg --list-sigs $( 6925 | sig2dot -a > 6927 Speicherzugriffsfehler | fdp -Tpng -o debconf9-before.png I managed to generate such a graph with -Tsvg, and inkscape opens it quite nicely (doesn't even seem very slow to me). If you for some reason wanted to export a huge png from it, I guess that might be possible too. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
[Debconf-discuss] Tea kettle
There used to be a tea kettle at the coffee table near hacklab 1. Does anybody know where it is now? /me desperately needs tea for his day to start :( Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Tea kettle
On Sun, Jul 26, 2009 at 12:22:45PM +0300, Sami Liedes wrote: > There used to be a tea kettle at the coffee table near hacklab 1. Does > anybody know where it is now? Or does anybody know of an alternative way to get hot water? I'm not the only person here with severe withdrawal symptoms. :-) It seems there's at least hot coffee and milk, so I guess there must be a way to heat liquids somewhere. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] [Debconf-announce] DebCofn Assassins game
On Sat, Jul 25, 2009 at 02:55:39PM +0200, Joerg Jaspert wrote: > as last year(s) there is an assassins game again. The rules are the same > as in the past and are written down at > > http://wiki.debconf.org/wiki/DebConf9/Assassins Idea: Couldn't it work so that when killed, the killed could give a secret code known only to the game system and him with which the killer could confirm himself? I'm quite certain I'm not going to confirm my killing "within 2 hours" if it happens late on night on way to the secondary residence, for example. If next morning is not good enough, it's ok to me to drop/disqualify me or whatever, but I just can't promise that much flexibility. (OTOH I also don't have a clean sock with me and don't intend to walk to the secondary residence in 39 °C only to get one, so you probably don't need to worry about me killing you today.) Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Tea kettle
On Sun, Jul 26, 2009 at 01:21:39PM +0300, Sami Liedes wrote: > On Sun, Jul 26, 2009 at 12:22:45PM +0300, Sami Liedes wrote: > > There used to be a tea kettle at the coffee table near hacklab 1. Does > > anybody know where it is now? > > Or does anybody know of an alternative way to get hot water? I'm not > the only person here with severe withdrawal symptoms. :-) Just out of curiosity, WTF is the deal with the tea kettle? It's gone again. Not that there seems to be any tea either, so presumably it does not matter... :P Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Tea kettle
On Tue, Jul 28, 2009 at 02:10:26AM +0200, Andrew Lee wrote: > Sami Liedes wrote: > > Just out of curiosity, WTF is the deal with the tea kettle? It's gone > > again. Not that there seems to be any tea either, so presumably it > > does not matter... :P > > Have you asked kitchen or Montaña about it? Who's Montaña? We (i.e. not be but someone who speaks Spanish) asked the guard woman I think the evening when it first was missing, I think she didn't know anything about it. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
[Debconf-discuss] Tea available... at least to some extent
On Tue, Jul 28, 2009 at 02:25:08AM +0300, Sami Liedes wrote: > Just out of curiosity, WTF is the deal with the tea kettle? It's gone > again. Not that there seems to be any tea either, so presumably it > does not matter... :P I shopped for some tea, it was surprisingly difficult to find, but I did manage to buy 50 teabags, 20 of which are black tea with lemon and 30 of which I think are mixed black teas, but the package says it has a reddish color (I think). I doubt these are going to be enough for the entire tea consuming population of Debconf if we use one tea bag per cup of tea, so I wonder how to proceed. OTOH if someone finds a teapot (I've heard rumors there's one somewhere around here), I think enough tea can be arranged for everyone. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] [Debconf-announce] Assassins
On Thu, Jul 30, 2009 at 03:07:22PM +0200, Joerg Jaspert wrote: > Heya > > so it looks like we have a tie and two assassin winners this year... > > Alvaro Antonio Fuentes Vasquez and Andreas Tille both have 11 kills, so > congrats to them. Bollocks. The list claims I was killed by Alvaro. I wasn't, at least until 2 hours after the game was already over. I also didn't and don't confirm it. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] [Debconf-announce] Assassins
On Thu, Jul 30, 2009 at 04:15:32PM +0300, Sami Liedes wrote: > Bollocks. The list claims I was killed by Alvaro. I wasn't, at least > until 2 hours after the game was already over. I also didn't and don't > confirm it. Also it lists some people as killed twice and counts the listed kills wrong. Seems a bit buggy to me :P Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Please don't upload GPG keys to keyserver?when signing them
On Thu, Aug 06, 2009 at 11:51:25AM +0200, Jan Wagner wrote: > .oO(*note* don't keysign with Petter Reinholdtsen for now) Why not? If you are sure that the identity is correct and that the e-mail addresses are correct (through *your* use of caff), the only thing your signature can do is strengthen the web of trust. I would sign in that case. Whether you trust him to be able to handle his key properly is an entirely separate variable, and in fact handled by GnuPG separately. Unless the problem is that you don't want Petter's signatures on your key, but then there's not much you can do anyway to prevent me or anyone else from creating a key with Bill Gates (or Petter Reinholdtsen) as the name, signing your key and uploading the signature to a keyserver. In fact this is one of the aspects of PGP+keyservers I don't like, that you can create 100k bogus signatures on someone's key and AFAICT there's nothing they can do to prevent their key on the keyservers from becoming too huge to handle. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Zagreb <--> Banja Luka
On Tue, May 17, 2011 at 02:59:27PM +0100, Ian Jackson wrote: > This is precisely the kind of response that I was complaining about. > What people need is INFORMATION, not reassurance. > > Those flying into Zagreb need to know when they book flights (which > ideally would be done a month or two ago) that they have a good plan > for what they will do on arrival in Zagreb. +1 This is perhaps the main reason why I still do not have flights booked. Need information, not assurances. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Zagreb <--> Banja Luka
On Tue, May 17, 2011 at 04:37:45PM +0200, Adnan Hodzic wrote: > So the moral of what I just said is please don't panic, we have > everything under control and whoever you are you or whenever you > arrive you won't be left by yourself. So, I'm planning to book flights now. Two questions: 1) Is it GUARANTEED that, if our arrival flight is in Zagreb at 22:15 on the 24th, there will be a bus connection to Banja Luka that night? 2) Is it GUARANTEED that, if our arrival flight departs Zagreb at 06:45 on the 31st, there will be a bus connection from Banja Luka so that we can make it to that plane? Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] we need to *organise* Banja Luka-Zagreb bus trips for some days (23th, 24th, 31th)
On Tue, Jul 19, 2011 at 08:56:06AM +0200, Andreas Tille wrote: > Definitely. As I said somewhen last week: Could anybody please rent a > bus for this day and we divide the price for this bus by the number of > people inside. +1 I'm not so much worried about getting to Banja Luka (although it would be nice if the bus company would get forewarning that there's going to be lots of people), but on 31st missing the fligths from Zagreb would be a bigger problem. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] ZAG-BNX buses & taxis
On Thu, Jul 21, 2011 at 01:08:19PM +0100, Ian Campbell wrote: > Those of us arriving between 1305 and 1405 on that day (at least those > on the wiki) had agreed to meet up at the airport and travel together, > I'm willing to go with the consensus of that group on this. I and Timo Lindfors are also interested in this at either price, 35 or 46 euros. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] ZAG-BNX buses & taxis
On Thu, Jul 21, 2011 at 09:14:43PM +0100, Ian Campbell wrote: > I've just picked up a voice mail from connecto-taxi.com, for nine people > they quote two taxis for a total price of 450 EUR, which is 50EUR each > so a bit more than previously expected (I guess the price vs. # of > people graph is a bit of a sawtooth as you fill cars). > > Is this acceptable to people? Yes, that's ok. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Languages Skill Exchange
On Sat, Jul 30, 2011 at 02:00:21PM +0200, Giovanni Mascellani wrote: > Just for the record, gobby-0.5 didn't pass the UTF-8 stress test: > selection a text in Arabic made the gobby-0.5 of a quite a few of us > crash badly (this could be connected with the fact that Arabic was the > only right-to-left language we had). This was reproduced more than once, > but we didn't try to debug it. The first time we all got an assertion failure when one of us tried to select some Arabic text I believe: ERROR:inf-text-gtk-view.c:1157:inf_text_gtk_view_expose_event_after_cb: assertion failed: (prev_toggle->x < cur_toggle->x) Aborted And the second time we (or at least I and some others) got a segmentation fault: (gobby-0.5:12936): GLib-GObject-WARNING **: attempt to retrieve private data for invalid type 'InfTextGtkView' Segmentation fault Though for a good bug report I guess someone should figure out if they can be reproduced... Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] pictures and privacy (was: my pictures so far (including the bicyle tour))
On Sat, Jul 30, 2011 at 04:01:30PM +0200, Petter Reinholdtsen wrote: > This is backwards, and places the responsibility of other peoples > actions (ie photographers pubishing their pictures) into the hands of > people that can't know when the problem occurs (ie in some picture and > not aware that the photographs are making them public). The person > publishing a picture should be responsible for the choice and ensuring > that the privacy of others is respected, not the persons in the > pictures. I'd say it's that way in very few cases. It's not reasonable to expect no pictures of you ending online if you take part in a public event. If you just happen to have your face on an otherwise (i.e. not because of your presence in it) very interesting photo, it's entirely unreasonable to expect the photographer to not publish it. Having said that, of course you may ask for it, and a friendly photographer might grant your wish and not publish such photos. Still I'd say the responsibility for doing this is very much on the person who doesn't want to be in published photos. There is no such thing as an absolute right to not have your face in a published photo, much less a right to be asked beforehand. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Gobby vs. Etherpad?
On Mon, Aug 01, 2011 at 01:03:17PM +0200, Adam Borowski wrote: > http://wiki.debconf.org/wiki/BofHowTo#Why_not_etherpad.3F (Disclaimer: I've never tried Etherpad, and I hadn't even heard of gobby before this Debconf. Perhaps I should try etherpad with my N900; bringing my laptop to the auditorium for talks was too much of a hassle, so I missed gobby there. Using via browser would have been nice, but that's a wishlist feature at most.) I must confess having a network-interfacing program written in an unsafe language talking to a server that relays data from AFAICT anyone at any IP address without any authorization segfault on entirely benign input makes me feel a bit nervous about its security properties... Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] pictures and privacy (was: my pictures so far (including the bicyle tour))
On Sat, Aug 06, 2011 at 10:17:19PM +0200, martin f krafft wrote: > I suggest that in the future, DebConf adopts a codex which asks of > participants only to publish those photos for which they have > received explicit consent, before or afterwards. I hope not. While I don't take photos myself, I often enjoy other people's photos. I think you are trying to place an unreasonable and undue burden on the photographers. The starting point must be that people usually have the right to publish their photos. Since in those cases the most you can do is to kindly ask them to not photograph you or remove a photo of you, I do consider it entirely unreasonable to try to place on them the heavy burden of having to obtain consent before publishing. That would make photography unnecessarily difficult in a case where there can be no reasonable expectation of privacy. I, and I suspect many others, like having photos of DebConf. The effect of what you demand would be to suppress many photos that nobody would object to simply because someone somewhere could have had an objection to the photo and the photographer never got around to asking. No. In the case of quite normal, innocent photos that burden should not be on the photographers. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] The Return of the Assassins
On Mon, Jul 02, 2012 at 12:32:09PM -0600, Wouter Verhelst wrote: > This only reinforces my resolve not to participate in assassins, even > though I like the game quite much. > > In 2007, I was killed before my target had even arrived. That sucked. > > In 2008, I was killed before I even knew the game had started. I guess > it must've been about 5 minutes after opening. That sucked even more. In 2009, I was killed after the game had already ended, so I did not confirm the kill. The organizers decided to confirm it without asking from me instead. This in fact changed the winner of the game (which wouldn't have been me either way). When I complained on the mailing list, I was told that the rules do not matter, because it's only a game. After that, I have not played. Also it seemed to me that players have had a vastly different notion of what consists a valid kill. That late kill was made in a busy hacklab while I was talking with other people, lightly touching with a sock so well hidden that nobody of those I was talking to noticed and, in fact, it took me a quite a while to understand what this assassin wanted. Sami signature.asc Description: Digital signature ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
