Steve Langasek wrote:
> On Wed, Jun 17, 2009 at 01:49:55PM +0200, martin f krafft wrote:
>
>>> This would also eliminate people that have fake ID from places
>>> that most people wouldn't recognise at all -- we're almost bound
>>> to have a local that will recognise it as fake, and so not sign.
>>> By adding the denouncement procedure that key will get signed by
>>> nobody at the key signing, rather then getting signed by quite
>>> a lot of the people who would have been convinced.
>
>> You are putting *way* too much weight and importance into the
>> government-issued document, and basically none into the identity of
>> the holder. Seriously: we're supposed to be certifying identities,
>> not the authenticity of a government document.
>
> I thought this was suitably rebutted years ago after the DC6 keysigning. To
> bring up the same arguments again looks like trying to win by getting the
> last word...
>
> The government IDs are relevant because when we're collaborating on an OS
> where there's minimal code review of the work done by maintainers and a
> well-chosen malicious package could cause millions or billions of dollars in
> damage to our users, we[1] want to be able to hold someone accountable in
> the real world. Not an "identity", but a physical person that we can
> prosecute and send to jail.
>
> Since governments are in charge of jails, government IDs are therefore the
> best tool we have available for this, without significantly compromising our
> scalability.
Very strange logic. BTW AFAIK justice doesn't identify people
because of ID documents. For other administrative works government
identify me with my tax code, my social security number, etc (which
are easily fakeable).
I miss the logic.
BTW usually open source projects use trustiness: if you did a log
of good patches you'll have the commit rights, without identity checks.
AFAIK only Debian has stronger requirements (on identity), and it
is IMO also the reason why we discuss: we have no other good example.
I agree that we should trust and use government ID for identity
check in Debian, but:
- it should be one control out of more others
- stop the FUD. If open source will need to check id document for
every developer, open source will die.
We have higher level of security/trustiness, but please don't
destroy the real man, who do the real job: the upstreams.
ciao
cate
_______________________________________________
Debconf-discuss mailing list
[email protected]
http://lists.debconf.org/mailman/listinfo/debconf-discuss
