Re: [aur-general] GPG Key Signing
On Fri 02 Dec 2011 14:02 +1000, Allan McRae wrote: > On 02/12/11 12:37, Loui Chang wrote: > > Let Ionut be the first to provide > > enough personal information to satisfy naysayers. I've never met him, so > > I have my doubts. :P > > Such as Is that supposed to be a question? > > gpg --list-sigs Ionut > pub 2048R/615137BC 2011-04-19 > uid Ionut Biru > sig P65D0FD58 2011-04-19 CA Cert Signing Authority (Root CA) > This doesn't mean anything to me. I've never met CA Cert either and I doubt whether CA Cert has met Ionut Biru to confirm his identity. Also meeting does not guarantee positive identity. Drivers licenses and passports can be forged. Anyways... in case you missed it: :P
Re: [aur-general] GPG Key Signing
[2011-12-02 07:59:10 +0100] Thomas Bächler: > Am 01.12.2011 23:08, schrieb Gaetan Bisson: > > [2011-12-01 09:08:39 -0600] Thomas Dziedzic: > >> I don't think anyone has actually verified that any of the given names > >> are real names. > > > > Well, actually, CAcert (which Dan relies on) is all about verifying > > people's actual identity, in particular their name and birth date. > > And that information is useful to you because ...? Your question is irrelevant here. I was just asserting that, yes, the names of certain devs have actually been verified. > >> What's important is that you're verified that you use the key to sign > >> your packages in case someone does get compromised or decides to go > >> rogue, then we will have a way to easily track which packages should > >> become void. > > > > That feature was already achieved by permissions on gerolde/sigurd... > > It wasn't. Yes, it was. > > The whole point of package signing is to neutralize attacks against our > > repositories (our servers but also third-party mirrors). > > That's only part of the point. The other part is - as mentioned - the > ability to revoke trust from rogue packagers. No. From that standpoint, package signing does nothing more than permissions on gerolde/sigurd - as mentioned. > I'll ask you the same question I asked before, when we already had this > discussion: What benefit does knowing someone's real identity give you? > (and please, I'd really like to get an answer this time) You had an answer (actually, several answers, and not just from me) last time - it's just that you didn't like them so you chose to ignore them, but they're still all in your email archives. (See, I can be disagreeable too.) -- Gaetan pgp1OFSLvE8aJ.pgp Description: PGP signature
Re: [aur-general] GPG Key Signing
Am 01.12.2011 23:08, schrieb Gaetan Bisson: > [2011-12-01 09:08:39 -0600] Thomas Dziedzic: >> I don't think anyone has actually verified that any of the given names >> are real names. > > Well, actually, CAcert (which Dan relies on) is all about verifying > people's actual identity, in particular their name and birth date. And that information is useful to you because ...? >> What's important is that you're verified that you use the key to sign >> your packages in case someone does get compromised or decides to go >> rogue, then we will have a way to easily track which packages should >> become void. > > That feature was already achieved by permissions on gerolde/sigurd... It wasn't. > The whole point of package signing is to neutralize attacks against our > repositories (our servers but also third-party mirrors). That's only part of the point. The other part is - as mentioned - the ability to revoke trust from rogue packagers. > I find Dan's verification requirements quite reasonable, and I am > pleased he takes a different approach than other master key holders: > what would be the point of everyone verifying the same thing? > > Yes, that Xyne person (well, it could even be a group of people, for all > we know) has pushed good packages to the repos, but developers and > trusted users are not just package producing machines, and it doesn't > strike me as odd that a distro expects a little transparency from them. I'll ask you the same question I asked before, when we already had this discussion: What benefit does knowing someone's real identity give you? (and please, I'd really like to get an answer this time) TBH, I wish I would have chosen a pseudonym when I started doing things publicly on the internet. I wish I never would have given anyone my real name. It's too late for that now, I'm afraid. > Of course, that is only my opinion: verification policy is for each > master key holder to decide individually - that's what they were > entrusted with when they were selected. We should have agreed on a common policy on this matter. It sends mixed signals when a packager is only signed by some key holders and not others. And, IMO, it is an affront to this community to reject someone who has been contributing for years. signature.asc Description: OpenPGP digital signature
Re: [aur-general] GPG Key Signing
On 02/12/11 12:37, Loui Chang wrote: > Let Ionut be the first to provide > enough personal information to satisfy naysayers. I've never met him, so > I have my doubts. :P Such as > gpg --list-sigs Ionut pub 2048R/615137BC 2011-04-19 uid Ionut Biru sig P65D0FD58 2011-04-19 CA Cert Signing Authority (Root CA)
Re: [aur-general] GPG Key Signing
On Fri 02 Dec 2011 01:23 +0100, Xyne wrote: > Ionut Biru wrote: > > > why are you so sure that I'll sign it? > > I no longer am, but until you replied I never had any reason to doubt it. > > As for the discussion about my name: > > I could easily claim a fake name to make you happy and you would never > know the difference. The name means absolutely nothing. You ought to just for fun. ;) > As I said to keenerd in a private email, if this is really an issue > for some of you then start a discussion and call a vote to remove me > as a TU. Even if the vote passes I may resign if I see many that would > like me gone, so you win. Such a vote should never pass, otherwise every Trusted User would have to positively identified be fair. Let Ionut be the first to provide enough personal information to satisfy naysayers. I've never met him, so I have my doubts. :P
Re: [aur-general] GPG Key Signing
On Fri, Dec 2, 2011 at 1:23 AM, Xyne wrote: > Ionut Biru wrote: > >> why are you so sure that I'll sign it? > > I no longer am, but until you replied I never had any reason to doubt it. > > > As for the discussion about my name: > > As stated, there could be many reasons. Perhaps I do not wish to be found by > someone for whatever reason. Perhaps my name appears in publications and I do > not wish to have people who read them contact me here. Perhaps I simply enjoy > anonymity for the sake of anonymity. > > I could easily claim a fake name to make you happy and you would never know > the > difference. The name means absolutely nothing. > > I have been an active member of this community for over 3 years and a TU for > about 2.5. I have made numerous contributions during that time. I have had > ample opportunity to be malicious had I so chosen (e.g. when > powerpill/bauerbill were way up on the package stats). > > You know me through my deeds here. They mean much more than some random name. > > Also, consider this. I am much more civil to people behind an anonymous > identity than people like Angel are behind their (presumably) real names. That > in itself should say something about my character. > > As I said to keenerd in a private email, if this is really an issue for some > of > you then start a discussion and call a vote to remove me as a TU. Even if the > vote passes I may resign if I see many that would like me gone, so you win. > > For what it's worth, I really do like this community and I hope to continue to > contribute to it. This has never been an issue before and the only reason it > might be an issue now is because some people confuse trivial knowledge with > intimacy and trust. Trust should be built on deeds and experience, not how > many > blanks you can fill in on a piece of paper. > Even if it's more plesant to talk to people who don't hide their identities, I agree with Xyne and Thomas. The relationships we build together by sharing, packaging, hacking is a higher level of trust that a real identity or a 5 minutes meeting in a café. I'm wondering, reading this thread, why packages signing, which is a wonderful technical way to be sure that someone who claims doing a package is really him, become, a way to ask to developer or tu to prove their _real_ identities. Cheers, -- Sébastien Luttringer www.seblu.net
Re: [aur-general] GPG Key Signing
Ionut Biru wrote: > why are you so sure that I'll sign it? I no longer am, but until you replied I never had any reason to doubt it. As for the discussion about my name: As stated, there could be many reasons. Perhaps I do not wish to be found by someone for whatever reason. Perhaps my name appears in publications and I do not wish to have people who read them contact me here. Perhaps I simply enjoy anonymity for the sake of anonymity. I could easily claim a fake name to make you happy and you would never know the difference. The name means absolutely nothing. I have been an active member of this community for over 3 years and a TU for about 2.5. I have made numerous contributions during that time. I have had ample opportunity to be malicious had I so chosen (e.g. when powerpill/bauerbill were way up on the package stats). You know me through my deeds here. They mean much more than some random name. Also, consider this. I am much more civil to people behind an anonymous identity than people like Angel are behind their (presumably) real names. That in itself should say something about my character. As I said to keenerd in a private email, if this is really an issue for some of you then start a discussion and call a vote to remove me as a TU. Even if the vote passes I may resign if I see many that would like me gone, so you win. For what it's worth, I really do like this community and I hope to continue to contribute to it. This has never been an issue before and the only reason it might be an issue now is because some people confuse trivial knowledge with intimacy and trust. Trust should be built on deeds and experience, not how many blanks you can fill in on a piece of paper. Regards, Xyne
Re: [aur-general] GPG Key Signing
[2011-12-01 09:08:39 -0600] Thomas Dziedzic: > I don't think anyone has actually verified that any of the given names > are real names. Well, actually, CAcert (which Dan relies on) is all about verifying people's actual identity, in particular their name and birth date. > What's important is that you're verified that you use the key to sign > your packages in case someone does get compromised or decides to go > rogue, then we will have a way to easily track which packages should > become void. That feature was already achieved by permissions on gerolde/sigurd... The whole point of package signing is to neutralize attacks against our repositories (our servers but also third-party mirrors). Now those inaccuracies are out of the way: I find Dan's verification requirements quite reasonable, and I am pleased he takes a different approach than other master key holders: what would be the point of everyone verifying the same thing? Yes, that Xyne person (well, it could even be a group of people, for all we know) has pushed good packages to the repos, but developers and trusted users are not just package producing machines, and it doesn't strike me as odd that a distro expects a little transparency from them. Of course, that is only my opinion: verification policy is for each master key holder to decide individually - that's what they were entrusted with when they were selected. -- Gaetan
Re: [aur-general] GPG Key Signing
On 1 December 2011 23:36, Peter Lewis wrote: > On Thursday 01 Dec 2011 09:08:39 Thomas Dziedzic wrote: > > I do find it kind of abnormal that a TU does want to retain his real > name. > > To be fair that are loads of potential reasons why someone wouldn't want > their > actual identity disclosed in a place where discussions are archived on the > web > with timestamps and everything. He could be doing all this in a place where > free use of the Internet is forbidden, could be on a witness protection > programme, could be doing it while at work and slacking off and not > wanting to > get caught, could actually be Kim Jong Il in his spare time. Seriously, we > have no way to judge reasons or not. And this isn't specific to Xyne, or > anyone else. > > My real name is actually Robert Parks. > > Perhaps. > > :-p > > > > There may be legitimate reasons for doing this or not, I don't know. > > But I also have to agree with Thomas on this one. > > I don't think anyone has actually verified that any of the given names > > are real names. > > What's important is that you're verified that you use the key to sign > > your packages in case someone does get compromised or decides to go > > rogue, then we will have a way to easily track which packages should > > become void. > > Absolutely. Let's not turn into Google+ over this one... > > Pete. > I am in full agreement with Thomas as well. There are many valid reasons for not using your real name on the Internet. Genius people hide behind screen names and yet we benefit from their work. So there is no reason we should say "you there, you genius kid. what's yo name? no name? get outta here we don't need yo charity." But of course I'm not assuming Xyne is a genius, or a kid. -- GPG/PGP ID: C0711BF1
Re: [aur-general] GPG Key Signing
On Thursday 01 Dec 2011 09:08:39 Thomas Dziedzic wrote: > I do find it kind of abnormal that a TU does want to retain his real name. To be fair that are loads of potential reasons why someone wouldn't want their actual identity disclosed in a place where discussions are archived on the web with timestamps and everything. He could be doing all this in a place where free use of the Internet is forbidden, could be on a witness protection programme, could be doing it while at work and slacking off and not wanting to get caught, could actually be Kim Jong Il in his spare time. Seriously, we have no way to judge reasons or not. And this isn't specific to Xyne, or anyone else. My real name is actually Robert Parks. Perhaps. :-p > There may be legitimate reasons for doing this or not, I don't know. > But I also have to agree with Thomas on this one. > I don't think anyone has actually verified that any of the given names > are real names. > What's important is that you're verified that you use the key to sign > your packages in case someone does get compromised or decides to go > rogue, then we will have a way to easily track which packages should > become void. Absolutely. Let's not turn into Google+ over this one... Pete.
Re: [aur-general] GPG Key Signing
On Thu, Dec 1, 2011 at 8:21 AM, Thomas Bächler wrote: > Am 01.12.2011 12:19, schrieb Xyne: >> I'm in the process of getting my key signed (Pierre has signed, Thomas and >> Ionut should sign soon, not sure if Dan will sign due to not knowing my real >> name). > > Dan's way isn't just about knowing the realname. He wants to verify that > the name is correct. > > I can't believe that we are having the identity verification discussion > again, but here is what I believe: You have been elected TU (or > Developer) and thus I trust your key. Knowing (or not knowing) your real > name doesn't change anything. In fact, I did not verify names for anyone. > > What's important to me: If I find out that you release packages that are > harmful in any way, I can revoke my signature and block your packages > from being installed. Knowing your real name does not make that easier, > or prevent you from doing harmful things in the first place. > I do find it kind of abnormal that a TU does want to retain his real name. There may be legitimate reasons for doing this or not, I don't know. But I also have to agree with Thomas on this one. I don't think anyone has actually verified that any of the given names are real names. What's important is that you're verified that you use the key to sign your packages in case someone does get compromised or decides to go rogue, then we will have a way to easily track which packages should become void.
Re: [aur-general] GPG Key Signing
Am 01.12.2011 12:19, schrieb Xyne: > I'm in the process of getting my key signed (Pierre has signed, Thomas and > Ionut should sign soon, not sure if Dan will sign due to not knowing my real > name). Dan's way isn't just about knowing the realname. He wants to verify that the name is correct. I can't believe that we are having the identity verification discussion again, but here is what I believe: You have been elected TU (or Developer) and thus I trust your key. Knowing (or not knowing) your real name doesn't change anything. In fact, I did not verify names for anyone. What's important to me: If I find out that you release packages that are harmful in any way, I can revoke my signature and block your packages from being installed. Knowing your real name does not make that easier, or prevent you from doing harmful things in the first place. signature.asc Description: OpenPGP digital signature
Re: [aur-general] GPG Key Signing
On 12/01/2011 01:19 PM, Xyne wrote: > Hi Allan, > > I'm in the process of getting my key signed (Pierre has signed, Thomas and > Ionut should sign soon, not sure if Dan will sign due to not knowing my real > name). > why are you so sure that I'll sign it? > How do I get your signature? I can't find an email about it. > > Regards, > Xyne -- Ionuț signature.asc Description: OpenPGP digital signature
Re: [aur-general] GPG Key Signing
> Hi Allan, > > I'm in the process of getting my key signed (Pierre has signed, Thomas and > Ionut should sign soon, not sure if Dan will sign due to not knowing my real > name). > > How do I get your signature? I can't find an email about it. > > Regards, > Xyne https://www.archlinux.org/master-keys/ ?
Re: [aur-general] GPG Key Signing
On Dec 1, 2011 9:38 PM, "Jelle van der Waa" wrote: > > On 01/12/11 14:27, Ángel Velásquez wrote: > > 2011/12/1 Xyne : > >> Hi Allan, > >> > >> I'm in the process of getting my key signed (Pierre has signed, Thomas and > >> Ionut should sign soon, not sure if Dan will sign due to not knowing my real > >> name). > > > > I can't understand yet your drama giving your name. > > > > Seriously, grow up. > > > > > > > > > How rude! > > Well actually I would like to know your name too, I don't see any reason > why wouldn't give it. > > -- > Jelle van der Waa I remember reading something about knowing a person's "true name" giving you complete power over someone...
Re: [aur-general] GPG Key Signing
At Thu, 1 Dec 2011 12:19:01 +0100, Xyne wrote: > > Hi Allan, > > I'm in the process of getting my key signed (Pierre has signed, Thomas and > Ionut should sign soon, not sure if Dan will sign due to not knowing my real > name). > > How do I get your signature? I can't find an email about it. You may use fake name. But as I know GPL2 requires real name. What is the license of our pkgbuilds?
Re: [aur-general] GPG Key Signing
On 01/12/11 14:27, Ángel Velásquez wrote: > 2011/12/1 Xyne : >> Hi Allan, >> >> I'm in the process of getting my key signed (Pierre has signed, Thomas and >> Ionut should sign soon, not sure if Dan will sign due to not knowing my real >> name). > > I can't understand yet your drama giving your name. > > Seriously, grow up. > > > > How rude! Well actually I would like to know your name too, I don't see any reason why wouldn't give it. -- Jelle van der Waa
Re: [aur-general] GPG Key Signing
2011/12/1 Xyne : > Hi Allan, > > I'm in the process of getting my key signed (Pierre has signed, Thomas and > Ionut should sign soon, not sure if Dan will sign due to not knowing my real > name). I can't understand yet your drama giving your name. Seriously, grow up. -- Angel Velásquez angvp @ irc.freenode.net Arch Linux Developer / Trusted User Linux Counter: #359909 http://www.angvp.com
Re: [aur-general] GPG Key Signing
fail kindly keep the mocking to a minimum then ignore this
