Re: splitting xsoldier
On Thu, 25 Apr 2002 02:21:37 +0200, Julien LEMOINE <[EMAIL PROTECTED]> wrote: > On Thursday 25 April 2002 01:19, Oohara Yuuma wrote: > > 2) The current version of xsoldier puts its score file in /var/lib/games, > >which is wrong. According to the FHS, it must be in > > /var/games/xsoldier. Since both of xsoldier and xsoldier-sdl are the same > > game, they should share the same score file. I think xsoldier-data should > > handle it. How can I save the old score file? Copying it in postinst of > >xsoldier-data won't work because it is in xsoldier, not xsoldier-data > >(if xsoldier is unpacked first, the old score file will be removed). > why don't you put the score filename in debian/conffiles ? The score file can't be a conffile because the xsoldier binary needs to modify it. -- Oohara Yuuma <[EMAIL PROTECTED]> Debian developer PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 I always put away what I take. --- Ryuji Akai, "Star away" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
gpg key validity question
Hi, I wonder if it is acceptable to sign a key from someone that : - I meet him personnaly and saw his ID - I saw him in a public meeting in a specific role (We can consider he is well known) - I have a lot of public mails from him that are all signed But the key makes no references to his name. In my understanding the ID is useless but I have enough element to believe he is the guy he said he is. I understand that if I sign his key I personnaly identify him and it will be enough for him in regard to the identification part of the NM process. Should I sign his key ? Christophe -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Imagination is more important than knowledge. Albert Einstein, On Science msg06045/pgp0.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:04:20AM -0400, christophe barbé wrote: > I wonder if it is acceptable to sign a key from someone that : > - I meet him personnaly and saw his ID > - I saw him in a public meeting in a specific role (We can consider he > is well known) > - I have a lot of public mails from him that are all signed > But the key makes no references to his name. > In my understanding the ID is useless but I have enough element to > believe he is the guy he said he is. > I understand that if I sign his key I personnaly identify him and it > will be enough for him in regard to the identification part of the NM > process. > Should I sign his key ? Since you're asking the question, I gather you also think there's something not quite right here. When you sign someone's key, you're vouching that the key belongs to who it says it does. That is, you're asserting that you have knowledge of the identity of the person using the key. If the key doesn't have this person's name on it, what *does* it have on it? Is he using a pseudonym? Is he only using an email address? I would not have a problem signing a key that had an email address with no name as a uid; however, such a key is not useful for the NM process: people become Debian Developers, not email addresses. If the key uses a pseudonym, I would not sign it. Have you received a PGP fingerprint from him in person? If not, you don't have any proof that there isn't someone between you and him that intercepts all of his email and re-signs it with a different key. Steve Langasek postmodern programmer msg06046/pgp0.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:04:20AM -0400, christophe barb? wrote: > I wonder if it is acceptable to sign a key from someone that : > [irrelevent stuff] > But the key makes no references to his name. > > In my understanding the ID is useless but I have enough element to > believe he is the guy he said he is. You're not vouching for his real life identity! > I understand that if I sign his key I personnaly identify him and it > will be enough for him in regard to the identification part of the NM > process. > > Should I sign his key ? No! One doesn't really sign "keys". One signs identification. If you meet someone, your goal is to match the picture ID with the face, and the name on the ID with the UID in the keyring. Just because we meet, and I show you an ID doesn't mean you should accept any key I give you, else I could have you vouch for the identity of myself as "Bubba <[EMAIL PROTECTED]>". Now, there's usually no good way to match the email address with the person, but as long as the name-part of the ID is okay, you might be comfortable signing those you're reasonably sure are okay, but only if they have the person's real name. "Chad Miller <[EMAIL PROTECTED]>" is hard to dispute in a bar, but you should make ABSOLUTELY SURE about the Chad Miller part. It's the "Chad Miller" part that you're signing. In short, meet someone. Match their face to their ID. Match their ID to the key UID they claim. Glance at the email address, to check that it's not obviously bogus. If any fail, then do nothing. - chad -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
I forgot to mention that we exchanged encrypted secret words and that I check the fingerprint when I meet him. He use his email address in his gpg key but his email address is not related to his name. I am sure he is the guy behind the key. I started this thread because of the debian implication. I believe that from the pure 'web of trust' point of view I can sign his key. Now from the debian point of view, I don't know. I understand that the NM process need an ID. So even if I sign his key or not, It should not be possible for him to go further without providing a gpg key containing his name and signed by a dd. So this told me that I can sign his key. But I am not sure there is no flaw in the NM process here : . Would an authentification be required if his without-ID key is signed by a dd ? . What if he add a with-ID uid in his key after. I would not have signed this new uid but then I am afraid that he will pass the 'Identification' step of the NM process. Even if he add a false identity. My current thought is that I will sign his key if he adds first a uid with ID data corresponding to the ID I have checked. Christophe On Thu, Apr 25, 2002 at 09:40:29AM -0500, Steve Langasek wrote: > On Thu, Apr 25, 2002 at 10:04:20AM -0400, christophe barbé wrote: > > > I wonder if it is acceptable to sign a key from someone that : > > > - I meet him personnaly and saw his ID > > - I saw him in a public meeting in a specific role (We can consider he > > is well known) > > - I have a lot of public mails from him that are all signed > > > But the key makes no references to his name. > > > In my understanding the ID is useless but I have enough element to > > believe he is the guy he said he is. > > > I understand that if I sign his key I personnaly identify him and it > > will be enough for him in regard to the identification part of the NM > > process. > > > Should I sign his key ? > > Since you're asking the question, I gather you also think there's > something not quite right here. When you sign someone's key, you're > vouching that the key belongs to who it says it does. That is, you're > asserting that you have knowledge of the identity of the person using > the key. If the key doesn't have this person's name on it, what *does* > it have on it? Is he using a pseudonym? Is he only using an email > address? I would not have a problem signing a key that had an email > address with no name as a uid; however, such a key is not useful for > the NM process: people become Debian Developers, not email addresses. > > If the key uses a pseudonym, I would not sign it. > > Have you received a PGP fingerprint from him in person? If not, you > don't have any proof that there isn't someone between you and him that > intercepts all of his email and re-signs it with a different key. > > Steve Langasek > postmodern programmer -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Imagination is more important than knowledge. Albert Einstein, On Science msg06048/pgp0.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:56:31AM -0400, christophe barbé wrote: > I forgot to mention that we exchanged encrypted secret words and that I > check the fingerprint when I meet him. > He use his email address in his gpg key but his email address is not > related to his name. > I am sure he is the guy behind the key. > I started this thread because of the debian implication. > I believe that from the pure 'web of trust' point of view I can sign his > key. > Now from the debian point of view, I don't know. > I understand that the NM process need an ID. So even if I sign his key or > not, It should not be possible for him to go further without providing a > gpg key containing his name and signed by a dd. > So this told me that I can sign his key. > But I am not sure there is no flaw in the NM process here : > . Would an authentification be required if his without-ID key is signed > by a dd ? > . What if he add a with-ID uid in his key after. I would not have signed > this new uid but then I am afraid that he will pass the 'Identification' > step of the NM process. Even if he add a false identity. > My current thought is that I will sign his key if he adds first a uid > with ID data corresponding to the ID I have checked. I still don't understand what you mean by a 'without-ID key'. It's difficult to give you a clear answer unless you can give us tangible information. A PGP uid has three parts to it: a name, an email address, and a comment. What does he have in each of these? If the PGP key he's asking you to sign has a name OTHER than his own on it, then you should NOT sign it: if anything, you should mention this to his AM. If he's trying to become a DD, he will need to have a PGP key that has his real, legal name on it, with a valid email address, and this key must be signed by an existing DD. If he doesn't have a PGP key that has his name on it, that's the first step that he must take. Steve Langasek postmodern programmer msg06049/pgp0.pgp Description: PGP signature
Re: gpg key validity question
christophe barbé <[EMAIL PROTECTED]> writes: > I forgot to mention that we exchanged encrypted secret words and that I > check the fingerprint when I meet him. > > He use his email address in his gpg key but his email address is not > related to his name. > > I am sure he is the guy behind the key. > I started this thread because of the debian implication. > > I believe that from the pure 'web of trust' point of view I can sign his > key. > > Now from the debian point of view, I don't know. I understand that > the NM process need an ID. So even if I sign his key or not, It > should not be possible for him to go further without providing a gpg > key containing his name and signed by a dd. So this told me that I > can sign his key. He may use a name related to his email address to enter NM (at least if you have sign his gpg key). -- Rémi Vanicat [EMAIL PROTECTED] http://dept-info.labri.u-bordeaux.fr/~vanicat -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:56:31AM -0400, christophe barbé wrote: > I forgot to mention that we exchanged encrypted secret words and that I > check the fingerprint when I meet him. > He use his email address in his gpg key but his email address is not > related to his name. > I am sure he is the guy behind the key. > I started this thread because of the debian implication. > I believe that from the pure 'web of trust' point of view I can sign his > key. > Now from the debian point of view, I don't know. > I understand that the NM process need an ID. So even if I sign his key or > not, It should not be possible for him to go further without providing a > gpg key containing his name and signed by a dd. > So this told me that I can sign his key. > But I am not sure there is no flaw in the NM process here : > . Would an authentification be required if his without-ID key is signed > by a dd ? > . What if he add a with-ID uid in his key after. I would not have signed > this new uid but then I am afraid that he will pass the 'Identification' > step of the NM process. Even if he add a false identity. > My current thought is that I will sign his key if he adds first a uid > with ID data corresponding to the ID I have checked. Upon rereading, I see what you're asking here. You're worried that if you sign a uid that doesn't have his name on it, and he adds another uid later that does have a name on it (not necessarily his), this will mistakenly be accepted by the DAM as identification, correct? Honestly, I don't believe DAM is that sloppy, and I wouldn't worry about it... Given how often people complain about the process being slow, I think it's clear that DAM takes the job very seriously :) Steve Langasek postmodern programmer msg06051/pgp0.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:04:39AM -0500, Steve Langasek wrote: > I still don't understand what you mean by a 'without-ID key'. It's > difficult to give you a clear answer unless you can give us tangible > information. A PGP uid has three parts to it: a name, an email address, > and a comment. What does he have in each of these? If the PGP key he's > asking you to sign has a name OTHER than his own on it, then you should > NOT sign it: if anything, you should mention this to his AM. Ok I clarify : Let say his name is Robert Redford and his email is [EMAIL PROTECTED] Let say that everybody know him as and call him nickmane. So his gpg uid is nickmane <[EMAIL PROTECTED]>. His email does not contain something that looks like a name. I am sure he is nickname but the ID check is useless. > If he's trying to become a DD, he will need to have a PGP key that has > his real, legal name on it, with a valid email address, and this key > must be signed by an existing DD. If he doesn't have a PGP key that has > his name on it, that's the first step that he must take. Ok but my question is : Can I sign his key as-is ? In my understanding I can but that mean that the NM process is flawless in this regard and is going to reject his key. Christophe > > Steve Langasek > postmodern programmer -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E People that hate cats will come back as mice in their next life. --Faith Resnick msg06052/pgp0.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:11:25AM -0500, Steve Langasek wrote: > Upon rereading, I see what you're asking here. You're worried that if > you sign a uid that doesn't have his name on it, and he adds another uid > later that does have a name on it (not necessarily his), this will > mistakenly be accepted by the DAM as identification, correct? Honestly, > I don't believe DAM is that sloppy, and I wouldn't worry about it... > Given how often people complain about the process being slow, I think > it's clear that DAM takes the job very seriously :) So you understand my problem. You think the NM process is flawless in this regard. Do you think that with all the verifications I have done, I can sign his key and by this way indicate that I know that this key belong to the well known person. Christophe > > Steve Langasek > postmodern programmer -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E People that hate cats will come back as mice in their next life. --Faith Resnick msg06053/pgp0.pgp Description: PGP signature
Maintaner Wannabe - sarg package adoption?
Hi, my name is Luigi Gangitano, I'm a member of LugRoma3 and a Debian user for a couple of years, now. I'd like to become a Debian Developer, just because I need the 'sarg' package on some of the server I use. Sarg (formerly known as SQMGRLOG) is a log analyzer for SQUID written by Orso ([EMAIL PROTECTED]), that generate reports based on users, IP, time and sites. I've been using SQMGRLOG and Sarg on some Slackware boxes for years. Now I've seen that sarg as been orphaned on January 2002 and I'd like to become its maintainer, but I don't know any Debian Developer that can promote my candidation and I could not find any information about the former sarg maintainer to contact and get info on his work. Is anybody interested in helping me? Thanks a lot. L signature.asc Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:50:43AM -0400, Chad Miller wrote: > No! One doesn't really sign "keys". One signs identification. If you meet > someone, your goal is to match the picture ID with the face, and the name on > the ID with the UID in the keyring. Just because we meet, and I show you > an ID doesn't mean you should accept any key I give you, else I could have > you vouch for the identity of myself as "Bubba <[EMAIL PROTECTED]>". > > Now, there's usually no good way to match the email address with the > person, but as long as the name-part of the ID is okay, you might be > comfortable signing those you're reasonably sure are okay, but only if they > have the person's real name. "Chad Miller <[EMAIL PROTECTED]>" is > hard to dispute in a bar, but you should make ABSOLUTELY SURE about the > Chad Miller part. It's the "Chad Miller" part that you're signing. > > In short, meet someone. Match their face to their ID. Match their ID to > the key UID they claim. Glance at the email address, to check that it's > not obviously bogus. If any fail, then do nothing. > > - chad I understand your point of view. But : IDs are easily forged. I am sure of that since I have see how it works here in the US when I got my Pennsylvania Driving License. In France (where I am from) I believe it is harder to fake an ID but it's still possible. I consider the ID to be ONLY a part of the verification process. I believe that someone who signs a key of someone he knows well after exchanging crypted email give you a stronger proof that someone that sign a key simply after seeing the fingerprint and the ID on a signing party and meeting the person for the first on last time. Christophe -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Cats seem go on the principle that it never does any harm to ask for what you want. --Joseph Wood Krutch msg06055/pgp0.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 11:20:30AM -0400, christophe barbé wrote: > On Thu, Apr 25, 2002 at 10:11:25AM -0500, Steve Langasek wrote: > > Upon rereading, I see what you're asking here. You're worried that if > > you sign a uid that doesn't have his name on it, and he adds another uid > > later that does have a name on it (not necessarily his), this will > > mistakenly be accepted by the DAM as identification, correct? Honestly, > > I don't believe DAM is that sloppy, and I wouldn't worry about it... > > Given how often people complain about the process being slow, I think > > it's clear that DAM takes the job very seriously :) > So you understand my problem. > You think the NM process is flawless in this regard. I don't know that it's flawless, but I'm not going to waste any time second-guessing the process. > Do you think that with all the verifications I have done, I can sign his > key and by this way indicate that I know that this key belong to the > well known person. I think if it's clear that the uid you're signing holds a nickname, and not something that could be a real name, it's ok to sign it. Steve Langasek postmodern programmer msg06056/pgp0.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:11:25AM -0500, Steve Langasek wrote: > > He use his email address in his gpg key but his email address is not > > related to his name. > > > I am sure he is the guy behind the key. > > I started this thread because of the debian implication. > > > I believe that from the pure 'web of trust' point of view I can sign his > > key. > > > Now from the debian point of view, I don't know. > > I understand that the NM process need an ID. So even if I sign his key or > > not, It should not be possible for him to go further without providing a > > gpg key containing his name and signed by a dd. > > So this told me that I can sign his key. I would hope that the AM would not accept such a signature to pass the identification stage, let alone the DAM. > > But I am not sure there is no flaw in the NM process here : > > . Would an authentification be required if his without-ID key is signed > > by a dd ? > > . What if he add a with-ID uid in his key after. I would not have signed > > this new uid but then I am afraid that he will pass the 'Identification' > > step of the NM process. Even if he add a false identity. > > > My current thought is that I will sign his key if he adds first a uid > > with ID data corresponding to the ID I have checked. Yup, that works. It's still the same key. > Upon rereading, I see what you're asking here. You're worried that if > you sign a uid that doesn't have his name on it, and he adds another uid > later that does have a name on it (not necessarily his), this will > mistakenly be accepted by the DAM as identification, correct? Honestly, > I don't believe DAM is that sloppy, and I wouldn't worry about it... > Given how often people complain about the process being slow, I think > it's clear that DAM takes the job very seriously :) Without firm identification, if he roots all the debian hosts and gets kicked out, he could just create a new email account and do it again. Names aren't optional. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | Dept. of Computing, `. `' | Imperial College, `- -><- | London, UK -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, Apr 25, 2002 at 11:22:50AM -0400, christophe barb? wrote: > IDs are easily forged. I am sure of that since I have see how it works To misquote Old Man Murray, it's better than relying on scent. IDs are the best thing we have for identifying the person's real name, and real names are _required_ for Debian. Email addresses come and go. Nicknames should be in comments of UIDs, not as real names. Speaking of the fickleness of email address, IMO, everyone should have an addressless UID on their keyrings, so that on the off chance that their ISP sinks, all their trust metrics don't as well. - chad -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, 25 Apr 2002, christophe barbé wrote: > But the key makes no references to his name. [...] > Should I sign his key ? No. Request that he adds an UID to his key with his name as it appears on his documents (the name that he would have in a international travel pass, for example), and sign THAT UID (and any others you have verified to be completely true). The NM process is not a 'internet ressort club' :) That means using an ID that is made up of a real name, that can be used to track down real people in real life, and a verified email address to reach that people in internet life... Since the gpg signature IS our ID verification, we should be very strict on that. I sure hope the DAM would reject an applicant that has a nickname for his Debian signed UID... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Maintaner Wannabe - sarg package adoption?
Luigi Gangitano <[EMAIL PROTECTED]> writes: > Now I've seen that sarg as been orphaned on January 2002 and I'd like to > become its maintainer, but I don't know any Debian Developer that can > promote my candidation and I could not find any information about the > former sarg maintainer to contact and get info on his work. > Is anybody interested in helping me? Build a package for it (use the existing one, update it). Ask again for a sponsor (or mail me, i sponsor you if there is noone else). Get a gpg Key. Get it signed by an existing DD. Read nm.debian.org and apply if you have an advocate (this can be your sponsor. After a time he has sponsored you and knows that you do good packages :) ) -- begin OjE-ist-scheisse.txt bye, Joerg Registered Linux User #97793 @ http://counter.li.org end -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Maintaner Wannabe - sarg package adoption?
Il gio, 2002-04-25 alle 21:25, Joerg Jaspert ha scritto: > Luigi Gangitano <[EMAIL PROTECTED]> writes: > > Now I've seen that sarg as been orphaned on January 2002 and I'd like to > > become its maintainer, but I don't know any Debian Developer that can > > promote my candidation and I could not find any information about the > > former sarg maintainer to contact and get info on his work. > > Is anybody interested in helping me? > > Build a package for it (use the existing one, update it). Do you know where I can find info on a packaged that has been oprhaned? Since it is not in the archive anymore I don't know where to get source and rules for it... I'd like to reuse what as been done till now. Thanks. L signature.asc Description: PGP signature
Re: gpg key validity question
[EMAIL PROTECTED] said: >> Should I sign his key ? > > No. Request that he adds an UID to his key with his name as it appears on > his documents (the name that he would have in a international travel pass, > for example), and sign THAT UID (and any others you have verified to be > completely true). I think this needs more consideration. What is being signed into the trust web is an "identity". That can (and should) be independent of real name. Why? Because there are people in the world who live in countries or situations where they cannot safely reveal their real life identity. If someone's gpg has the name "John Doe", you should indeed verify by means of state-issued ID that they are indeed John Doe. But that is not what makes them trustworthy to debian. What is more important is that the holder of the John Doe key has proven themselves worthy of trust, by having an established history of doing competent work for debian. If you think about it, a trustworthy pseudonym with a history of doing good work (with that work gpg-signed by that pseudonym, of course) is _harder_ to fake than a "real" state-issued ID. As long as someone has properly established a trustworthy pseudonym, I can't think of any reason why they shouldn't be signed into the debian web of trust. Is there anything wrong with that reasoning? Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, Apr 25, 2002 at 05:38:40PM -0400, Jason Lunz wrote: > I think this needs more consideration. What is being signed into the > trust web is an "identity". That can (and should) be independent of real > name. Why? Because there are people in the world who live in countries > or situations where they cannot safely reveal their real life identity. That's absurd. Two reasons: Debian is an open organization. We rely on the credibility and publicity of our developers as insurance that we're not likely to hax0r our "cus- tomers'" boxes. Our willingness to be open about everything is what makes us credible. We don't hide problems. If working on Debian personally conflicts with Debian's Social Contract, you shouldn't work on Debian. If one's safety is threatened by working on Debian, then you certainly don't want to be found to own the secret key that _provably_ signed some threatening work. > If someone's gpg has the name "John Doe", you should indeed verify by > means of state-issued ID that they are indeed John Doe. But that is not > what makes them trustworthy to debian. What is more important is that > the holder of the John Doe key has proven themselves worthy of trust, by > having an established history of doing competent work for debian. Technical competency is another step to NM, _after_ proving identity. That doesn't mean we should abolish the identification step, though. > If you think about it, a trustworthy pseudonym with a history of doing > good work (with that work gpg-signed by that pseudonym, of course) is > _harder_ to fake than a "real" state-issued ID. As long as someone has > properly established a trustworthy pseudonym, I can't think of any > reason why they shouldn't be signed into the debian web of trust. Pseudonyms are completely arbitrary. Some good identification isn't completely arbitrary. Being "Chad L. Miller" is much better than being Papa Smurf, Zero-Cool, or Deep Throat. Imagine "Hog Farmer 1" as a signature on the US' Declaration of Independence. Suppose "Zero-Cool" does something really bad and we expel her from the project. What's to stop her from using another pseudonym and email address to reapply to NM? Real names and IDs aren't totally trustworthy, but pseudonyms are worth exactly shit. - chad -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, 25 Apr 2002, Jason Lunz wrote: > trust web is an "identity". That can (and should) be independent of real > name. Why? Because there are people in the world who live in countries > or situations where they cannot safely reveal their real life identity. Join the cDc then, but not Debian. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: splitting xsoldier
On Thu, 25 Apr 2002 02:21:37 +0200, Julien LEMOINE <[EMAIL PROTECTED]> wrote: > On Thursday 25 April 2002 01:19, Oohara Yuuma wrote: > > 2) The current version of xsoldier puts its score file in /var/lib/games, > >which is wrong. According to the FHS, it must be in > > /var/games/xsoldier. Since both of xsoldier and xsoldier-sdl are the same > > game, they should share the same score file. I think xsoldier-data should > > handle it. How can I save the old score file? Copying it in postinst of > >xsoldier-data won't work because it is in xsoldier, not xsoldier-data > >(if xsoldier is unpacked first, the old score file will be removed). > why don't you put the score filename in debian/conffiles ? The score file can't be a conffile because the xsoldier binary needs to modify it. -- Oohara Yuuma <[EMAIL PROTECTED]> Debian developer PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 I always put away what I take. --- Ryuji Akai, "Star away" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
gpg key validity question
Hi, I wonder if it is acceptable to sign a key from someone that : - I meet him personnaly and saw his ID - I saw him in a public meeting in a specific role (We can consider he is well known) - I have a lot of public mails from him that are all signed But the key makes no references to his name. In my understanding the ID is useless but I have enough element to believe he is the guy he said he is. I understand that if I sign his key I personnaly identify him and it will be enough for him in regard to the identification part of the NM process. Should I sign his key ? Christophe -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Imagination is more important than knowledge. Albert Einstein, On Science pgpYqvAyz9EQZ.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:04:20AM -0400, christophe barbé wrote: > I wonder if it is acceptable to sign a key from someone that : > - I meet him personnaly and saw his ID > - I saw him in a public meeting in a specific role (We can consider he > is well known) > - I have a lot of public mails from him that are all signed > But the key makes no references to his name. > In my understanding the ID is useless but I have enough element to > believe he is the guy he said he is. > I understand that if I sign his key I personnaly identify him and it > will be enough for him in regard to the identification part of the NM > process. > Should I sign his key ? Since you're asking the question, I gather you also think there's something not quite right here. When you sign someone's key, you're vouching that the key belongs to who it says it does. That is, you're asserting that you have knowledge of the identity of the person using the key. If the key doesn't have this person's name on it, what *does* it have on it? Is he using a pseudonym? Is he only using an email address? I would not have a problem signing a key that had an email address with no name as a uid; however, such a key is not useful for the NM process: people become Debian Developers, not email addresses. If the key uses a pseudonym, I would not sign it. Have you received a PGP fingerprint from him in person? If not, you don't have any proof that there isn't someone between you and him that intercepts all of his email and re-signs it with a different key. Steve Langasek postmodern programmer pgpMzofg9N9QY.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:04:20AM -0400, christophe barb? wrote: > I wonder if it is acceptable to sign a key from someone that : > [irrelevent stuff] > But the key makes no references to his name. > > In my understanding the ID is useless but I have enough element to > believe he is the guy he said he is. You're not vouching for his real life identity! > I understand that if I sign his key I personnaly identify him and it > will be enough for him in regard to the identification part of the NM > process. > > Should I sign his key ? No! One doesn't really sign "keys". One signs identification. If you meet someone, your goal is to match the picture ID with the face, and the name on the ID with the UID in the keyring. Just because we meet, and I show you an ID doesn't mean you should accept any key I give you, else I could have you vouch for the identity of myself as "Bubba <[EMAIL PROTECTED]>". Now, there's usually no good way to match the email address with the person, but as long as the name-part of the ID is okay, you might be comfortable signing those you're reasonably sure are okay, but only if they have the person's real name. "Chad Miller <[EMAIL PROTECTED]>" is hard to dispute in a bar, but you should make ABSOLUTELY SURE about the Chad Miller part. It's the "Chad Miller" part that you're signing. In short, meet someone. Match their face to their ID. Match their ID to the key UID they claim. Glance at the email address, to check that it's not obviously bogus. If any fail, then do nothing. - chad -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
I forgot to mention that we exchanged encrypted secret words and that I check the fingerprint when I meet him. He use his email address in his gpg key but his email address is not related to his name. I am sure he is the guy behind the key. I started this thread because of the debian implication. I believe that from the pure 'web of trust' point of view I can sign his key. Now from the debian point of view, I don't know. I understand that the NM process need an ID. So even if I sign his key or not, It should not be possible for him to go further without providing a gpg key containing his name and signed by a dd. So this told me that I can sign his key. But I am not sure there is no flaw in the NM process here : . Would an authentification be required if his without-ID key is signed by a dd ? . What if he add a with-ID uid in his key after. I would not have signed this new uid but then I am afraid that he will pass the 'Identification' step of the NM process. Even if he add a false identity. My current thought is that I will sign his key if he adds first a uid with ID data corresponding to the ID I have checked. Christophe On Thu, Apr 25, 2002 at 09:40:29AM -0500, Steve Langasek wrote: > On Thu, Apr 25, 2002 at 10:04:20AM -0400, christophe barbé wrote: > > > I wonder if it is acceptable to sign a key from someone that : > > > - I meet him personnaly and saw his ID > > - I saw him in a public meeting in a specific role (We can consider he > > is well known) > > - I have a lot of public mails from him that are all signed > > > But the key makes no references to his name. > > > In my understanding the ID is useless but I have enough element to > > believe he is the guy he said he is. > > > I understand that if I sign his key I personnaly identify him and it > > will be enough for him in regard to the identification part of the NM > > process. > > > Should I sign his key ? > > Since you're asking the question, I gather you also think there's > something not quite right here. When you sign someone's key, you're > vouching that the key belongs to who it says it does. That is, you're > asserting that you have knowledge of the identity of the person using > the key. If the key doesn't have this person's name on it, what *does* > it have on it? Is he using a pseudonym? Is he only using an email > address? I would not have a problem signing a key that had an email > address with no name as a uid; however, such a key is not useful for > the NM process: people become Debian Developers, not email addresses. > > If the key uses a pseudonym, I would not sign it. > > Have you received a PGP fingerprint from him in person? If not, you > don't have any proof that there isn't someone between you and him that > intercepts all of his email and re-signs it with a different key. > > Steve Langasek > postmodern programmer -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Imagination is more important than knowledge. Albert Einstein, On Science pgpP6hOuGOoQ8.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:56:31AM -0400, christophe barbé wrote: > I forgot to mention that we exchanged encrypted secret words and that I > check the fingerprint when I meet him. > He use his email address in his gpg key but his email address is not > related to his name. > I am sure he is the guy behind the key. > I started this thread because of the debian implication. > I believe that from the pure 'web of trust' point of view I can sign his > key. > Now from the debian point of view, I don't know. > I understand that the NM process need an ID. So even if I sign his key or > not, It should not be possible for him to go further without providing a > gpg key containing his name and signed by a dd. > So this told me that I can sign his key. > But I am not sure there is no flaw in the NM process here : > . Would an authentification be required if his without-ID key is signed > by a dd ? > . What if he add a with-ID uid in his key after. I would not have signed > this new uid but then I am afraid that he will pass the 'Identification' > step of the NM process. Even if he add a false identity. > My current thought is that I will sign his key if he adds first a uid > with ID data corresponding to the ID I have checked. I still don't understand what you mean by a 'without-ID key'. It's difficult to give you a clear answer unless you can give us tangible information. A PGP uid has three parts to it: a name, an email address, and a comment. What does he have in each of these? If the PGP key he's asking you to sign has a name OTHER than his own on it, then you should NOT sign it: if anything, you should mention this to his AM. If he's trying to become a DD, he will need to have a PGP key that has his real, legal name on it, with a valid email address, and this key must be signed by an existing DD. If he doesn't have a PGP key that has his name on it, that's the first step that he must take. Steve Langasek postmodern programmer pgpFuy5k8oWly.pgp Description: PGP signature
Re: gpg key validity question
christophe barbé <[EMAIL PROTECTED]> writes: > I forgot to mention that we exchanged encrypted secret words and that I > check the fingerprint when I meet him. > > He use his email address in his gpg key but his email address is not > related to his name. > > I am sure he is the guy behind the key. > I started this thread because of the debian implication. > > I believe that from the pure 'web of trust' point of view I can sign his > key. > > Now from the debian point of view, I don't know. I understand that > the NM process need an ID. So even if I sign his key or not, It > should not be possible for him to go further without providing a gpg > key containing his name and signed by a dd. So this told me that I > can sign his key. He may use a name related to his email address to enter NM (at least if you have sign his gpg key). -- Rémi Vanicat [EMAIL PROTECTED] http://dept-info.labri.u-bordeaux.fr/~vanicat -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:56:31AM -0400, christophe barbé wrote: > I forgot to mention that we exchanged encrypted secret words and that I > check the fingerprint when I meet him. > He use his email address in his gpg key but his email address is not > related to his name. > I am sure he is the guy behind the key. > I started this thread because of the debian implication. > I believe that from the pure 'web of trust' point of view I can sign his > key. > Now from the debian point of view, I don't know. > I understand that the NM process need an ID. So even if I sign his key or > not, It should not be possible for him to go further without providing a > gpg key containing his name and signed by a dd. > So this told me that I can sign his key. > But I am not sure there is no flaw in the NM process here : > . Would an authentification be required if his without-ID key is signed > by a dd ? > . What if he add a with-ID uid in his key after. I would not have signed > this new uid but then I am afraid that he will pass the 'Identification' > step of the NM process. Even if he add a false identity. > My current thought is that I will sign his key if he adds first a uid > with ID data corresponding to the ID I have checked. Upon rereading, I see what you're asking here. You're worried that if you sign a uid that doesn't have his name on it, and he adds another uid later that does have a name on it (not necessarily his), this will mistakenly be accepted by the DAM as identification, correct? Honestly, I don't believe DAM is that sloppy, and I wouldn't worry about it... Given how often people complain about the process being slow, I think it's clear that DAM takes the job very seriously :) Steve Langasek postmodern programmer pgp43poPGHevp.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:04:39AM -0500, Steve Langasek wrote: > I still don't understand what you mean by a 'without-ID key'. It's > difficult to give you a clear answer unless you can give us tangible > information. A PGP uid has three parts to it: a name, an email address, > and a comment. What does he have in each of these? If the PGP key he's > asking you to sign has a name OTHER than his own on it, then you should > NOT sign it: if anything, you should mention this to his AM. Ok I clarify : Let say his name is Robert Redford and his email is [EMAIL PROTECTED] Let say that everybody know him as and call him nickmane. So his gpg uid is nickmane <[EMAIL PROTECTED]>. His email does not contain something that looks like a name. I am sure he is nickname but the ID check is useless. > If he's trying to become a DD, he will need to have a PGP key that has > his real, legal name on it, with a valid email address, and this key > must be signed by an existing DD. If he doesn't have a PGP key that has > his name on it, that's the first step that he must take. Ok but my question is : Can I sign his key as-is ? In my understanding I can but that mean that the NM process is flawless in this regard and is going to reject his key. Christophe > > Steve Langasek > postmodern programmer -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E People that hate cats will come back as mice in their next life. --Faith Resnick pgpdnDM7p1VFJ.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:11:25AM -0500, Steve Langasek wrote: > Upon rereading, I see what you're asking here. You're worried that if > you sign a uid that doesn't have his name on it, and he adds another uid > later that does have a name on it (not necessarily his), this will > mistakenly be accepted by the DAM as identification, correct? Honestly, > I don't believe DAM is that sloppy, and I wouldn't worry about it... > Given how often people complain about the process being slow, I think > it's clear that DAM takes the job very seriously :) So you understand my problem. You think the NM process is flawless in this regard. Do you think that with all the verifications I have done, I can sign his key and by this way indicate that I know that this key belong to the well known person. Christophe > > Steve Langasek > postmodern programmer -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E People that hate cats will come back as mice in their next life. --Faith Resnick pgpzX105CiWj8.pgp Description: PGP signature
Maintaner Wannabe - sarg package adoption?
Hi, my name is Luigi Gangitano, I'm a member of LugRoma3 and a Debian user for a couple of years, now. I'd like to become a Debian Developer, just because I need the 'sarg' package on some of the server I use. Sarg (formerly known as SQMGRLOG) is a log analyzer for SQUID written by Orso ([EMAIL PROTECTED]), that generate reports based on users, IP, time and sites. I've been using SQMGRLOG and Sarg on some Slackware boxes for years. Now I've seen that sarg as been orphaned on January 2002 and I'd like to become its maintainer, but I don't know any Debian Developer that can promote my candidation and I could not find any information about the former sarg maintainer to contact and get info on his work. Is anybody interested in helping me? Thanks a lot. L signature.asc Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:50:43AM -0400, Chad Miller wrote: > No! One doesn't really sign "keys". One signs identification. If you meet > someone, your goal is to match the picture ID with the face, and the name on > the ID with the UID in the keyring. Just because we meet, and I show you > an ID doesn't mean you should accept any key I give you, else I could have > you vouch for the identity of myself as "Bubba <[EMAIL PROTECTED]>". > > Now, there's usually no good way to match the email address with the > person, but as long as the name-part of the ID is okay, you might be > comfortable signing those you're reasonably sure are okay, but only if they > have the person's real name. "Chad Miller <[EMAIL PROTECTED]>" is > hard to dispute in a bar, but you should make ABSOLUTELY SURE about the > Chad Miller part. It's the "Chad Miller" part that you're signing. > > In short, meet someone. Match their face to their ID. Match their ID to > the key UID they claim. Glance at the email address, to check that it's > not obviously bogus. If any fail, then do nothing. > > - chad I understand your point of view. But : IDs are easily forged. I am sure of that since I have see how it works here in the US when I got my Pennsylvania Driving License. In France (where I am from) I believe it is harder to fake an ID but it's still possible. I consider the ID to be ONLY a part of the verification process. I believe that someone who signs a key of someone he knows well after exchanging crypted email give you a stronger proof that someone that sign a key simply after seeing the fingerprint and the ID on a signing party and meeting the person for the first on last time. Christophe -- Christophe Barbé <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Cats seem go on the principle that it never does any harm to ask for what you want. --Joseph Wood Krutch pgpS5Z8cBrRIN.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 11:20:30AM -0400, christophe barbé wrote: > On Thu, Apr 25, 2002 at 10:11:25AM -0500, Steve Langasek wrote: > > Upon rereading, I see what you're asking here. You're worried that if > > you sign a uid that doesn't have his name on it, and he adds another uid > > later that does have a name on it (not necessarily his), this will > > mistakenly be accepted by the DAM as identification, correct? Honestly, > > I don't believe DAM is that sloppy, and I wouldn't worry about it... > > Given how often people complain about the process being slow, I think > > it's clear that DAM takes the job very seriously :) > So you understand my problem. > You think the NM process is flawless in this regard. I don't know that it's flawless, but I'm not going to waste any time second-guessing the process. > Do you think that with all the verifications I have done, I can sign his > key and by this way indicate that I know that this key belong to the > well known person. I think if it's clear that the uid you're signing holds a nickname, and not something that could be a real name, it's ok to sign it. Steve Langasek postmodern programmer pgpTI2x6r6Y3U.pgp Description: PGP signature
Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:11:25AM -0500, Steve Langasek wrote: > > He use his email address in his gpg key but his email address is not > > related to his name. > > > I am sure he is the guy behind the key. > > I started this thread because of the debian implication. > > > I believe that from the pure 'web of trust' point of view I can sign his > > key. > > > Now from the debian point of view, I don't know. > > I understand that the NM process need an ID. So even if I sign his key or > > not, It should not be possible for him to go further without providing a > > gpg key containing his name and signed by a dd. > > So this told me that I can sign his key. I would hope that the AM would not accept such a signature to pass the identification stage, let alone the DAM. > > But I am not sure there is no flaw in the NM process here : > > . Would an authentification be required if his without-ID key is signed > > by a dd ? > > . What if he add a with-ID uid in his key after. I would not have signed > > this new uid but then I am afraid that he will pass the 'Identification' > > step of the NM process. Even if he add a false identity. > > > My current thought is that I will sign his key if he adds first a uid > > with ID data corresponding to the ID I have checked. Yup, that works. It's still the same key. > Upon rereading, I see what you're asking here. You're worried that if > you sign a uid that doesn't have his name on it, and he adds another uid > later that does have a name on it (not necessarily his), this will > mistakenly be accepted by the DAM as identification, correct? Honestly, > I don't believe DAM is that sloppy, and I wouldn't worry about it... > Given how often people complain about the process being slow, I think > it's clear that DAM takes the job very seriously :) Without firm identification, if he roots all the debian hosts and gets kicked out, he could just create a new email account and do it again. Names aren't optional. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | Dept. of Computing, `. `' | Imperial College, `- -><- | London, UK -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, Apr 25, 2002 at 11:22:50AM -0400, christophe barb? wrote: > IDs are easily forged. I am sure of that since I have see how it works To misquote Old Man Murray, it's better than relying on scent. IDs are the best thing we have for identifying the person's real name, and real names are _required_ for Debian. Email addresses come and go. Nicknames should be in comments of UIDs, not as real names. Speaking of the fickleness of email address, IMO, everyone should have an addressless UID on their keyrings, so that on the off chance that their ISP sinks, all their trust metrics don't as well. - chad -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, 25 Apr 2002, christophe barbé wrote: > But the key makes no references to his name. [...] > Should I sign his key ? No. Request that he adds an UID to his key with his name as it appears on his documents (the name that he would have in a international travel pass, for example), and sign THAT UID (and any others you have verified to be completely true). The NM process is not a 'internet ressort club' :) That means using an ID that is made up of a real name, that can be used to track down real people in real life, and a verified email address to reach that people in internet life... Since the gpg signature IS our ID verification, we should be very strict on that. I sure hope the DAM would reject an applicant that has a nickname for his Debian signed UID... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Maintaner Wannabe - sarg package adoption?
Luigi Gangitano <[EMAIL PROTECTED]> writes: > Now I've seen that sarg as been orphaned on January 2002 and I'd like to > become its maintainer, but I don't know any Debian Developer that can > promote my candidation and I could not find any information about the > former sarg maintainer to contact and get info on his work. > Is anybody interested in helping me? Build a package for it (use the existing one, update it). Ask again for a sponsor (or mail me, i sponsor you if there is noone else). Get a gpg Key. Get it signed by an existing DD. Read nm.debian.org and apply if you have an advocate (this can be your sponsor. After a time he has sponsored you and knows that you do good packages :) ) -- begin OjE-ist-scheisse.txt bye, Joerg Registered Linux User #97793 @ http://counter.li.org end -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Maintaner Wannabe - sarg package adoption?
Il gio, 2002-04-25 alle 21:25, Joerg Jaspert ha scritto: > Luigi Gangitano <[EMAIL PROTECTED]> writes: > > Now I've seen that sarg as been orphaned on January 2002 and I'd like to > > become its maintainer, but I don't know any Debian Developer that can > > promote my candidation and I could not find any information about the > > former sarg maintainer to contact and get info on his work. > > Is anybody interested in helping me? > > Build a package for it (use the existing one, update it). Do you know where I can find info on a packaged that has been oprhaned? Since it is not in the archive anymore I don't know where to get source and rules for it... I'd like to reuse what as been done till now. Thanks. L signature.asc Description: PGP signature
Re: gpg key validity question
[EMAIL PROTECTED] said: >> Should I sign his key ? > > No. Request that he adds an UID to his key with his name as it appears on > his documents (the name that he would have in a international travel pass, > for example), and sign THAT UID (and any others you have verified to be > completely true). I think this needs more consideration. What is being signed into the trust web is an "identity". That can (and should) be independent of real name. Why? Because there are people in the world who live in countries or situations where they cannot safely reveal their real life identity. If someone's gpg has the name "John Doe", you should indeed verify by means of state-issued ID that they are indeed John Doe. But that is not what makes them trustworthy to debian. What is more important is that the holder of the John Doe key has proven themselves worthy of trust, by having an established history of doing competent work for debian. If you think about it, a trustworthy pseudonym with a history of doing good work (with that work gpg-signed by that pseudonym, of course) is _harder_ to fake than a "real" state-issued ID. As long as someone has properly established a trustworthy pseudonym, I can't think of any reason why they shouldn't be signed into the debian web of trust. Is there anything wrong with that reasoning? Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, Apr 25, 2002 at 05:38:40PM -0400, Jason Lunz wrote: > I think this needs more consideration. What is being signed into the > trust web is an "identity". That can (and should) be independent of real > name. Why? Because there are people in the world who live in countries > or situations where they cannot safely reveal their real life identity. That's absurd. Two reasons: Debian is an open organization. We rely on the credibility and publicity of our developers as insurance that we're not likely to hax0r our "cus- tomers'" boxes. Our willingness to be open about everything is what makes us credible. We don't hide problems. If working on Debian personally conflicts with Debian's Social Contract, you shouldn't work on Debian. If one's safety is threatened by working on Debian, then you certainly don't want to be found to own the secret key that _provably_ signed some threatening work. > If someone's gpg has the name "John Doe", you should indeed verify by > means of state-issued ID that they are indeed John Doe. But that is not > what makes them trustworthy to debian. What is more important is that > the holder of the John Doe key has proven themselves worthy of trust, by > having an established history of doing competent work for debian. Technical competency is another step to NM, _after_ proving identity. That doesn't mean we should abolish the identification step, though. > If you think about it, a trustworthy pseudonym with a history of doing > good work (with that work gpg-signed by that pseudonym, of course) is > _harder_ to fake than a "real" state-issued ID. As long as someone has > properly established a trustworthy pseudonym, I can't think of any > reason why they shouldn't be signed into the debian web of trust. Pseudonyms are completely arbitrary. Some good identification isn't completely arbitrary. Being "Chad L. Miller" is much better than being Papa Smurf, Zero-Cool, or Deep Throat. Imagine "Hog Farmer 1" as a signature on the US' Declaration of Independence. Suppose "Zero-Cool" does something really bad and we expel her from the project. What's to stop her from using another pseudonym and email address to reapply to NM? Real names and IDs aren't totally trustworthy, but pseudonyms are worth exactly shit. - chad -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg key validity question
On Thu, 25 Apr 2002, Jason Lunz wrote: > trust web is an "identity". That can (and should) be independent of real > name. Why? Because there are people in the world who live in countries > or situations where they cannot safely reveal their real life identity. Join the cDc then, but not Debian. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
