[2011-12-02 07:59:10 +0100] Thomas Bächler: > Am 01.12.2011 23:08, schrieb Gaetan Bisson: > > [2011-12-01 09:08:39 -0600] Thomas Dziedzic: > >> I don't think anyone has actually verified that any of the given names > >> are real names. > > > > Well, actually, CAcert (which Dan relies on) is all about verifying > > people's actual identity, in particular their name and birth date. > > And that information is useful to you because ...?
Your question is irrelevant here. I was just asserting that, yes, the names of certain devs have actually been verified. > >> What's important is that you're verified that you use the key to sign > >> your packages in case someone does get compromised or decides to go > >> rogue, then we will have a way to easily track which packages should > >> become void. > > > > That feature was already achieved by permissions on gerolde/sigurd... > > It wasn't. Yes, it was. > > The whole point of package signing is to neutralize attacks against our > > repositories (our servers but also third-party mirrors). > > That's only part of the point. The other part is - as mentioned - the > ability to revoke trust from rogue packagers. No. From that standpoint, package signing does nothing more than permissions on gerolde/sigurd - as mentioned. > I'll ask you the same question I asked before, when we already had this > discussion: What benefit does knowing someone's real identity give you? > (and please, I'd really like to get an answer this time) You had an answer (actually, several answers, and not just from me) last time - it's just that you didn't like them so you chose to ignore them, but they're still all in your email archives. (See, I can be disagreeable too.) -- Gaetan
pgp1OFSLvE8aJ.pgp
Description: PGP signature
