>>>>> "Nikolaus" == Nikolaus Rath <[email protected]> writes:
Nikolaus> However, it seems to me that meeting someone in person
Nikolaus> isn't actually verifying the relevant identity here. My
Nikolaus> trust in a Debian developer is not based on him holding a
Nikolaus> particular legal name, it is in his history of
Nikolaus> contributions. In other words: just because I'm sure about
Nikolaus> someone's legal name, I wouldn't trust him to run code on
Nikolaus> my computer. But if someone has been contributing to
Nikolaus> Debian for 5 years with a specific GPG key, I'd probably
Nikolaus> trust him to prepare a package no matter if the name
Nikolaus> associated with the GPG key actually corresponds to some
Nikolaus> legal identity or not.
There are lots of types of trust involved.
I definitely think past contributions is part of it.
However, I also thing it's desirable that we have some probability of
being able to engage a legal process if we needed to. Imagine someone
intentionally uploaded some compromised software to Debian with the
purpose of harming our users/turning debian machines into bots/etc.
That's something we should not stand for, and being able to respond to
that sort of thing in the legal system does have to do with a binding to
a particular legal identity.
An in-person meeting is neither necessary nor sufficient for that sort
of legal binding, but I suspect in a number of cases it would help
significantly.
--Sam
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive:
https://lists.debian.org/0000014b7a8b3b86-34c1547c-c3bb-4d4c-8241-c782ef02d3fd-000...@email.amazonses.com
