* Philip Hands:
> If I were a sociopath contemplating sabotage in the Free Software
> sphere, going to the effort of becoming a DD, even for the first time,
> would be nowhere near the top of my list.
Even if you got a peer-reviewed research paper out of it? (If I
recall correctly, academics alr
Jonas Smedegaard writes:
> Any opinion on the "votes twice" part? Anyone?
How many decisions have we had that were decided by a slim enough margin
that you believe fraud could have changed the outcome?
What have we voted on that you think anyone would care sufficiently about
to do the tedious a
Quoting Philip Hands (2020-08-20 10:05:42)
> rhkra...@gmail.com writes:
>
> > On Wednesday, August 19, 2020 09:33:04 AM Wouter Verhelst wrote:
> >> If the term "malicious DD" is reasonable, we have a bigger problem
> >> than "votes twice" or "uploads a backdoor".
> >>
> >> aka, "a malicious DD e
On Thu, 2020-08-20 at 10:05 +0200, Philip Hands wrote:
> Conjuring up a "mallicious DD" seems to carry with it the assumption
> that only bad people do bad things, which seems naive to me.
>
> This conversation reminds me of the trade-offs involved in airport
> security.
>
> One can decide to spe
On Thu, Aug 20, 2020 at 10:05:42AM +0200, Philip Hands wrote:
> If I were a sociopath contemplating sabotage in the Free Software
> sphere, going to the effort of becoming a DD, even for the first time,
> would be nowhere near the top of my list.
Indeed, I would sabotage some upstream code directly
rhkra...@gmail.com writes:
> On Wednesday, August 19, 2020 09:33:04 AM Wouter Verhelst wrote:
>> If the term "malicious DD" is reasonable, we have a bigger problem than
>> "votes twice" or "uploads a backdoor".
>>
>> aka, "a malicious DD exists" is already a problem.
>
> Do you have a suggested s
On Wednesday, August 19, 2020 09:33:04 AM Wouter Verhelst wrote:
> If the term "malicious DD" is reasonable, we have a bigger problem than
> "votes twice" or "uploads a backdoor".
>
> aka, "a malicious DD exists" is already a problem.
Do you have a suggested solution?
I believe there are circums
On Mon, Aug 17, 2020 at 08:39:02PM +0200, Jonas Smedegaard wrote:
> Quoting Federico Ceratto (2020-08-17 20:17:49)
> > On Thu, Aug 6, 2020 at 5:40 PM Roberto C. Sánchez
> > wrote:
> > > Perhaps instead of requiring "a valid DD signature" as the basis for
> > > "important" project actions (e.g., u
Quoting Federico Ceratto (2020-08-17 20:17:49)
> On Thu, Aug 6, 2020 at 5:40 PM Roberto C. Sánchez wrote:
> > Perhaps instead of requiring "a valid DD signature" as the basis for
> > "important" project actions (e.g., uploading to the archive), we should
> > consider rather "degree of trust associ
On Thu, Aug 6, 2020 at 5:40 PM Roberto C. Sánchez wrote:
> Perhaps instead of requiring "a valid DD signature" as the basis for
> "important" project actions (e.g., uploading to the archive), we should
> consider rather "degree of trust associated with a collection of one or
> more signatures".
F
Le vendredi 14 août 2020 à 01:10:02+0200, Ángel a écrit :
> On 2020-08-13 at 16:43 +0200, Pierre-Elliott Bécue wrote:
> > > gpg has a `--ask-cert-expire` flag and a `--default-cert-expire`
> > > option in that effect. Expired certification signatures will be
> > > ignored when building the Web o
Quoting Ángel (2020-08-14 22:57:32)
> On 2020-08-14 at 20:27 +0200, Jonas Smedegaard wrote:
> > Seems we are talking about several things here:
> >
> > a) trusting an identity _without_ relying on governmental proof
> >
> > b) proving an identity using fake governmental proof
> >
> > It is my
On 2020-08-14 at 20:27 +0200, Jonas Smedegaard wrote:
> Seems we are talking about several things here:
>
> a) trusting an identity _without_ relying on governmental proof
>
> b) proving an identity using fake governmental proof
>
> It is my understanding that a) is illegal and punishable in m
Quoting Adrian Bunk (2020-08-14 18:33:06)
> On Thu, Aug 13, 2020 at 09:23:58PM +0100, Steve McIntyre wrote:
> > On Thu, Aug 13, 2020 at 09:03:00PM +0200, Adam Borowski wrote:
> > >On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote:
> > >> I think the point about fake idenity documents i
On Thu, Aug 13, 2020 at 09:23:58PM +0100, Steve McIntyre wrote:
> On Thu, Aug 13, 2020 at 09:03:00PM +0200, Adam Borowski wrote:
> >On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote:
> >> I think the point about fake idenity documents is, it being a criminal
> >> activity and make one
On 2020-08-13 at 16:43 +0200, Pierre-Elliott Bécue wrote:
> > gpg has a `--ask-cert-expire` flag and a `--default-cert-expire`
> > option in that effect. Expired certification signatures will be
> > ignored when building the Web of Trust.
> >
> > Cheers
>
> This could work, but we'd have to ha
On Thu, Aug 13, 2020 at 10:59:47PM +0200, Christian Kastner wrote:
> On 2020-08-13 21:03, Adam Borowski wrote:
> > I don't think someone could possibly be prosecuted for using a fake passport
> > to obtain a gpg signature.
> But even if it weren't a crime: Once the person waving the fake ID is
> c
On 2020-08-13 21:03, Adam Borowski wrote:
> I don't think someone could possibly be prosecuted for using a fake passport
> to obtain a gpg signature.
In many (if not most) jurisdictions, using a fake government ID for any
transaction whatsoever is a crime. It's not tied to monetary or any
other ga
On Thu, Aug 13, 2020 at 09:03:00PM +0200, Adam Borowski wrote:
>On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote:
>> I think the point about fake idenity documents is, it being a criminal
>> activity and make one liable for prosecution. So it is not just about
>> immediate cost of get
On 2020-08-13 at 17:57 +0200, Adam Borowski wrote:
> On Thu, Aug 13, 2020 at 02:59:59AM +0200, Ángel wrote:
> > as there would be an external motivation to do that which is financing
> > such activity. Please note that by 'company' I am not meaning just
> > business entities, but also three letter
On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote:
> I think the point about fake idenity documents is, it being a criminal
> activity and make one liable for prosecution. So it is not just about
> immediate cost of getting a fake id, but the is high risk if you are caught.
> Not all f
On Thu, Aug 13, 2020 at 17:57, Adam Borowski
wrote:
I don't get where people get the feeling that producing a passport
would
require a TLA/nation state/organized crime/etc. You can get one for
peanuts.
I've been offered one once, and I inquired about the details -- for
just
~$25 (100PLN)
On Thu, Aug 13, 2020 at 02:59:59AM +0200, Ángel wrote:
> as there would be an external motivation to do that which is financing
> such activity. Please note that by 'company' I am not meaning just
> business entities, but also three letter agencies, nation states,
> malicious hacker groups, mafia..
Le jeudi 13 août 2020 à 14:29:35+0200, Guilhem Moulin a écrit :
> Hi,
>
> On Thu, 13 Aug 2020 at 14:11:14 +0200, Pierre-Elliott Bécue wrote:
> > Le jeudi 13 août 2020 à 07:42:29-0400, Sam Hartman a écrit :
> >>> "Paul" == Paul Wise writes:
> >>
> >> Paul> On Wed, Aug 12, 2020 at 3:27 PM Pi
Hi,
On Thu, 13 Aug 2020 at 14:11:14 +0200, Pierre-Elliott Bécue wrote:
> Le jeudi 13 août 2020 à 07:42:29-0400, Sam Hartman a écrit :
>>> "Paul" == Paul Wise writes:
>>
>> Paul> On Wed, Aug 12, 2020 at 3:27 PM Pierre-Elliott Bécue wrote:
>> >> I'd rather try to solve the issue in a more
Le jeudi 13 août 2020 à 07:42:29-0400, Sam Hartman a écrit :
> > "Paul" == Paul Wise writes:
>
> Paul> On Wed, Aug 12, 2020 at 3:27 PM Pierre-Elliott Bécue wrote:
> >> I'd rather try to solve the issue in a more sensible way : lower
> >> the number of expected GPG signatures to 0
Le jeudi 13 août 2020 à 03:36:11+, Paul Wise a écrit :
> > This wouldn't solve the broader issue that can arise when one lives in a
> > place with no close DD and wants to become a DD themselves.
>
> Given the "problems" that are being discussed on another thread in
> another location, I think
On Wednesday, August 12, 2020 11:36:11 PM Paul Wise wrote:
> Given the "problems" that are being discussed on another thread in
> another location, I think there is an obvious solution to solve both
> issues at the same time, once the COVID situation allows it.
??
> "Paul" == Paul Wise writes:
Paul> On Wed, Aug 12, 2020 at 3:27 PM Pierre-Elliott Bécue wrote:
>> I'd rather try to solve the issue in a more sensible way : lower
>> the number of expected GPG signatures to 0 temporarily, and ask
>> for two or three advocacies from DDs.
Thanks for the summary, Sam.
As an 'amicus' of the project, and interested on these topics, I wanted
to provide my 2 cents.
First of all, you are not the only one with this situation. The issue
arises from the vague meaning of a signature on a pgp key, and also
appears on other venues when using
On Wed, Aug 12, 2020 at 3:27 PM Pierre-Elliott Bécue wrote:
> I'd rather try to solve the issue in a more sensible way : lower the
> number of expected GPG signatures to 0 temporarily, and ask for two or
> three advocacies from DDs.
This seems like the most natural solution to the problem of COVI
Le jeudi 06 août 2020 à 17:54:21+0200, Enrico Zini a écrit :
> Hello,
>
> we have people approaching Debian with a lack of GPG signatures, and we
> generally cannot ask them to travel and meet other developers in person
> to get their key signed.
>
> Technically, we are not requiring that people
Quoting Sam Hartman (2020-08-12 13:59:07)
> Enrico, I find that the sorts of discussions that you've started are
> more valuable if someone goes back later and tries to summarize what
> we've learned.
> So I'm going to take a stab at that.
Thanks, Sam - I find such summary quite helpful!
...even
Enrico, I find that the sorts of discussions that you've started are
more valuable if someone goes back later and tries to summarize what
we've learned.
So I'm going to take a stab at that.
I don't think we were seeking a consensus, and we didn't find one. What
we did find is a number of appro
Enrico Zini wrote:
> we have people approaching Debian with a lack of GPG signatures, and we
> generally cannot ask them to travel and meet other developers in person
> to get their key signed.
It's worthwhile stating the actual problem that is trying to be solved
here.
I believe that is: "Given
On Sun, Aug 09, 2020 at 12:20:53AM -0500, Gunnar Wolf wrote:
> Adrian Bunk dijo [Fri, Aug 07, 2020 at 04:46:18PM +0300]:
> > Why are you requiring key signing at all when it has no defined semantics?
> >
> > Many DDs check only the government issued photo ID for signing a key and
> > this is also
Il 07/08/20 11:34, Holger Levsen ha scritto:
> this is factually incorrect: while there are DDs who don't go by their
> government backed identity indeed, DAM or ftp master (dont rememeber which)
> do know their government identity.
Ah, didn't know that. Still, this is not represented on PGP keys,
On Sun, Aug 09, 2020 at 08:51:30AM -0400, Sam Hartman wrote:
> It sounds like you are hearing me as disagreeing with *you* and not with
> some combination of your ideas and how they are presented.
> I'd like to offer to sit down virtually and work through this.
> I don't want to come across as host
> "Olek" == Olek Wojnar writes:
Olek>Sam, I do not appreciate your aspersions and I think your
Hi.
It sounds like you are hearing me as disagreeing with *you* and not with
some combination of your ideas and how they are presented.
I'd like to offer to sit down virtually and work thro
Adrian Bunk dijo [Fri, Aug 07, 2020 at 04:46:18PM +0300]:
> Why are you requiring key signing at all when it has no defined semantics?
>
> Many DDs check only the government issued photo ID for signing a key and
> this is also how keysigning parties work, but if this is considered
> optional the
Hello Enrico, and thanks for bringing the discussion over here.
Enrico Zini dijo [Thu, Aug 06, 2020 at 05:54:21PM +0200]:
> Hello,
>
> we have people approaching Debian with a lack of GPG signatures, and we
> generally cannot ask them to travel and meet other developers in person
> to get their k
Hi Olek,
On Sat, Aug 8, 2020 at 6:36 PM Olek Wojnar wrote:
>
> You are attributing motivations to me that I do not have.
More significantly, you are not responsible for "our tendency to suck
every discussion into such a long-term thing that it immobilizes us."
Sam is right with his general obser
On Sat, Aug 8, 2020 at 5:04 PM Sam Hartman wrote:
> Until you have a concrete suggestion, you're derailing the discussion.
> Enrico and a number of people sound like they would like a way forward
> that works for people trying to become DMs today.
> When I hear things like "eventually have a GR,"
Sam,
I do not appreciate your aspersions and I think your hostile attitude is
completely uncalled for. I don't know why me sharing my thoughts on this
subject has triggered you into lashing out.
On Sat, Aug 8, 2020, 19:04 Sam Hartman wrote:
>
> Sometimes that is necessary; some ideas need to be
> "Olek" == Olek Wojnar writes:
> TL;DR: While there may be improvements to be found in a
> completely different approach to identity, let us not let the
> scope of the discussion broaden that far, so we can make
> progress today.
Olek>I respectful disagree on this point. This
Hi Sam,
On Sat, Aug 8, 2020, 11:46 Sam Hartman wrote:
>
> TL;DR: While there may be improvements to be found in a completely
> different approach to identity, let us not let the scope of the
> discussion broaden that far, so we can make progress today.
>
I respectful disagree on this point. Thi
TL;DR: While there may be improvements to be found in a completely
different approach to identity, let us not let the scope of the
discussion broaden that far, so we can make progress today.
> "Olek" == Olek Wojnar writes:
Olek> TL;DR: I think without some link back to real world
Hi Sam,
On Fri, Aug 7, 2020 at 3:39 PM Sam Hartman wrote:
>
> TL;DR: I think without some link back to real world identity, we open
> ourselves up to attacks where people build trust only to betray us.
>
I agree with you that this is a potentially-serious problem. However, I'm
not sure that key
Quoting Sam Hartman (2020-08-07 23:29:23)
> > "Jonas" == Jonas Smedegaard writes:
>
> Jonas> I feel that you are somewhat quoting me out of context:
>
> Jonas> For the record, I do *not* find "several months of [remote]
> Jonas> collaboration" adequate for trusting an identity.
> "Jonas" == Jonas Smedegaard writes:
Jonas> I feel that you are somewhat quoting me out of context:
Jonas> For the record, I do *not* find "several months of [remote]
Jonas> collaboration" adequate for trusting an identity. I simply
Jonas> repeated that criterium from the p
On 8/7/20, Sam Hartman wrote:
>
> TL;DR: I think without some link back to real world identity, we open
> ourselves up to attacks where people build trust only to betray us.
Hi, Everyone.. I've tried to follow some of this conversation but keep
getting distracted. I haven't known where to chime
Quoting Sam Hartman (2020-08-07 21:14:10)
>
> TL;DR: I think without some link back to real world identity, we open
> ourselves up to attacks where people build trust only to betray us.
>
> > "Jonas" == Jonas Smedegaard writes:
>
> Jonas> Quoting Gerardo Ballabio (2020-08-07 10:34:20)
>
TL;DR: I think without some link back to real world identity, we open
ourselves up to attacks where people build trust only to betray us.
> "Jonas" == Jonas Smedegaard writes:
Jonas> Quoting Gerardo Ballabio (2020-08-07 10:34:20)
>> Johannes Schauer wrote:
Jonas> If ok for first
Hi,
On 07.08.20 15:46, Adrian Bunk wrote:
> On Thu, Aug 06, 2020 at 05:54:21PM +0200, Enrico Zini wrote:
>> ...
>> As DAM, I would have a problem if someone automatically signed the keys
>> of every stanger who asked them nicely in an email. At the same time, I
>> am open to the idea of policies
On Thu, Aug 06, 2020 at 05:54:21PM +0200, Enrico Zini wrote:
>...
> Technically, every DD has their own policies for signing keys,
>...
> It might require to check a government issued photo ID, or it might not.
I thought this was the sole fixed requirement for keysigning.
>...
> As DAM, I would h
On Thu, Aug 06, 2020 at 05:54:21PM +0200, Enrico Zini wrote:
> What do you think could be alternative key signing policies, that
> would be acceptable to you, that would not require traveling and
> meeting face to face?
I don't have specific suggestions for a key signing policy but I wrote
this so
Quoting Alexandre Viau (2020-08-07 05:44:34)
> On 2020-08-06 11:54 a.m., Enrico Zini wrote:
> > What do you think could be alternative key signing policies, that would
> > be acceptable to you, that would not require traveling and meeting face
> > to face?
>
> Hello Enrico :)
>
> Thank you for br
Le jeudi, 6 août 2020, 17.54:21 h CEST Enrico Zini a écrit :
> What do you think could be alternative key signing policies, that would
> be acceptable to you, that would not require traveling and meeting face
> to face?
Several others have eloquently described key signing policies close to mine,
On Thu, Aug 06, 2020 at 08:44:57PM +0200, Giovanni Mascellani wrote:
> Not to mention that as far as I know there are already DDs whose key
> identity does not correspond to any government-given identity. So we
> already acknowledge that we don't really care about what is your "legal"
> name.
thi
Quoting Gerardo Ballabio (2020-08-07 10:34:20)
> Johannes Schauer wrote:
> > So in my opinion (and please correct my assumptions if they are wrong), an
> > acceptable key signing policy would also be one, where a prospective DM has
> > shown over several months to produce work that is always sign
Johannes Schauer wrote:
> So in my opinion (and please correct my assumptions if they are wrong), an
> acceptable key signing policy would also be one, where a prospective DM has
> shown over several months to produce work that is always signed with the same
> key and maybe even communicated (fo
On 2020-08-06 11:54 a.m., Enrico Zini wrote:
> What do you think could be alternative key signing policies, that would
> be acceptable to you, that would not require traveling and meeting face
> to face?
Hello Enrico :)
Thank you for bringing this up.
On 2020-08-06 1:26 p.m., Johannes Schauer wr
Hello,
El dj., 6 d’ag. 2020, 18:08, Enrico Zini va
escriure:
>
> What do you think could be alternative key signing policies, that would
> be acceptable to you, that would not require traveling and meeting face
> to face?
>
- you know that person in the real world, or at least you have verifi
On 2020-08-06 17:54, Enrico Zini wrote:
> What do you think could be alternative key signing policies, that would
> be acceptable to you, that would not require traveling and meeting face
> to face?
As food for thought, there was a longish thread "Why are in-person
meetings required for the debian
Hi,
Il 06/08/20 19:26, Johannes Schauer ha scritto:
> What added value does the connection to a government ID give to Debian?
And even if we assumed that it is for some reason useful to link each DD
to a "government-verified" identity[1], what we actually verify
(basically, the names) is very lit
Quoting Enrico Zini (2020-08-06 17:54:21)
[...]
> Practically, I feel like most of the time people's policies match what
> are the perceived expectations of the rest of the project. Meeting in
> person has always been a good safe bet, if only for the reson that
> it's been accepted without ques
Hi Enrico,
thanks for bringing this up.
Quoting Enrico Zini (2020-08-06 17:54:21)
> What do you think could be alternative key signing policies, that would be
> acceptable to you, that would not require traveling and meeting face to face?
I'm currently in the situation of sponsoring a very skill
Hi Enrico,
On Thu, Aug 6, 2020 at 9:15 AM Enrico Zini wrote:
>
> What do you think could be alternative key signing policies
> ... that would not require ... meeting face to face?
Perhaps a video meeting on Jitsi [1] is acceptable? People could
present their IDs to the camera. Maybe the certific
On Thu, Aug 06, 2020 at 05:54:21PM +0200, Enrico Zini wrote:
>
> What do you think could be alternative key signing policies, that would
> be acceptable to you, that would not require traveling and meeting face
> to face?
>
What about an added dimension that may (or may not) affect the concept
of
Hello,
we have people approaching Debian with a lack of GPG signatures, and we
generally cannot ask them to travel and meet other developers in person
to get their key signed.
Technically, we are not requiring that people meet a DD in person, only
that people have their key signed by a DD.
Techn
70 matches
Mail list logo
