On 2015-02-15 11:55, Russell Stuart wrote: > On Fri, 2015-02-13 at 15:14 +0000, Ian Jackson wrote: >> There are organisations with plenty of money, who would perhaps like >> to infiltrate us, but for whom risk of exposure is the biggest cost of >> trying. > > Which organisations would that be? > > It is the NSA, who was caught red-handed installing gear in AT&T > telephone exchanges to illegally spy on US citizens? [0]
Just because noone went to prison does not mean there weren't consequences. In this particular example, these and similar activities led to "HTTPS Everywhere" and other encryption-by-default trends. I would expect this to have a *dramatic* impact on the ability to collect intelligence. > Back to my original point, the job we ask of GPG is to ensure the keys > we admit to the keyring are owned by entity who has proved he is > competent at maintaining packages and is compatible with Debian's social > fabric. I contest that. When signing a key, GPG asks me how closely I have verified the identity of the person, and only that. GPG and the WoT are used for far more than just Debian development. > I can't imagine a better way of doing that then proof of work. I can: proof of work AND identity verification. As we have now (via advocacy and key signing). Honestly, I get the feeling that this debate keeps getting framed as an either/or question, and I don't understand why, when we already have both. Nobody is advocating that the drop the proof-of-work requirement (signatures alone do not a DD make). What's being debated is whether to drop the identity verification requirement. A number of arguments have been made for and against, but personally, I have found none of the "for" arguments convincing in the slightest. This is starting to feel like bike-shedding to me. For example, I believe the current shortage of AMs [1] to be a far greater obstacle to becoming a DD than the signature requirement. So let me ask this: who exactly would benefit from dropping this requirement? >From a quick look, I'd say that all but a dozen DD's have 3 or more signatures, so the 2-sig-minimum requirement apparently was not a problem for most of them (and of the remaining dozen, about half are keys at least a decade old). DM's require only one DD signature, and whether new contributors require a DD signature depends entirely on the package sponsor. > But yes, everybody is absolutely right in saying it won't stop spy > agencies. That doesn't mean we have to make it easier for them. I believe I have already contributed what I can to this thread, so I will recuse myself. Regards, Christian [1] https://lists.debian.org/debian-devel-announce/2015/02/msg00001.html -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
