On 27/04/12 06:32, Xyne wrote: > speps wrote: > >> I followed the whole discussion on ML, as it is of my interest, >> and I must admit the Xyne presence in the Arch team was always a >> good point for me to assert the possibility of contributing "officially" >> and "anonymously" at the same time, in the hope that is not just an >> exception. >> >> The meaning of identity on the Internet is still something not so defined >> to me through its limits, consequences and abuses. >> So, from the beginning of my Internet experience, I never referenced to >> myself through my real name/life, but using a nickname, a digital identity. >> This could be perceived as stupid or too paranoid for some, but for me >> is just a way to taste things without risking to be too much implied till >> the point of no return. I'm not referring to responsibilities, but to the >> possibility of having a choice. >> >> The adoption of GPG Keys for signing packages intention is to prevent >> malicious hijacking through mirrors and to certificate their provenance, >> and not to identify a packager in his real life. >> Also, even using a "real name" is not a way to assume a real existence, >> since hypothetically a real life identity could be easily faked too. >> >> As you can see I sign mails with my GPG Key, and I really do not see >> a real difference between mine and your or the one of another TU, since >> actually we do not personally know each others. >> >> I like to think that a digital identity just deals with the reputation >> that comes from the quality of the work done like from the behaviours in >> social relations, and a nickname is enough to cover its identification. >> >> This is just my point till now, not a way to convince someone else. >> I say "till now", cause this is the first time I was asked to reveal >> my real identity for being crucial in contributing or to be trusted. >> >> Differently, some years ago Giovanni Scafora asked my name for including >> it as a contributor in a [extra] PKGBUILD (cpufrequtils) after sending >> him a patch. In that case I took the decision of keeping on my way. >> >> I'll have to think about this since, as you say, probably another >> Xyne would be not allowed. >> My idea is, trying an application as simply "speps" and on a negative >> response taking the big decision. What do you think? > > I agree with all of these points. An identity is an identity regardless of > whether or not it's connected to the name your parents gave you. If you have > shown yourself to be consistent and trustworthy through actions over a period > of time, that should be enough. As you say, the introduction of PGP keys was > to > ensure that no one had tampered with the packages in transit, not to force TUs > to divulge off-line (i.e. irrelevant) information. No one asked for real names > before, let alone verified them. All that mattered was the quality and > consistency of your contributions, and that's how it's supposed to be. > > There are many legitimate reasons that one may wish to remain "anonymous". > Some > simply prefer privacy. Others may wish to avoid internet stalkers or worse. > > Anyway, as mentioned, you can release packages without all 5 master > signatures, > but I still think it's silly that TUs don't automatically get all of the > master > key signatures... untrusted "Trusted Users" just doesn't make any sense. If > the > TU application process is not trusted, then it has to be changed, otherwise > its > nonsensical. > > Btw, if you want real security and not just security theater, introduce a > sign-off system for TUs. That would do far more than getting "real names". >
I have no real issues with people being anonymous, but there is another issue here. I signed "Xyne"s GPG key because despite not knowing anything in particular about "him", I have had plenty of interaction with him during his time as an Arch contributor. So I was quite sure that the Xyne I "knew" was the one I was signing a key for. The user "speps" on the other hand, I have absolutely no idea who is. In fact, when I looked at their AUR packages, I was absolutely surprised at the number of them... I have never seen that name on IRC and there are only 5 posts on the forums for that account name. Looking at mail archives there are a bunch of AUR package deletion requests. I would have a lot of difficulty deciding to sign that key. Allan
