On Thu, 2020-08-20 at 10:05 +0200, Philip Hands wrote: > Conjuring up a "mallicious DD" seems to carry with it the assumption > that only bad people do bad things, which seems naive to me. > > This conversation reminds me of the trade-offs involved in airport > security. > > One can decide to spend money on security theatre (e.g. expensive > scanners) or general resilience (e.g. more ambulances and emergency > responders)
The number of airplane hijackings has gone down significantly[1] while the amount of air travel has increased by a lot (passenger-kilometers per year by more than factor 10 or so between 1970 and 2010 from some graph I found). So it seems to be effective. Maybe the "security theater" even pays for itself given planes are fairly expensive? :-) [1]: https://www.statista.com/chart/4560/airliner-hijackings-have-become-rare-events/ > In this situation, tightening up our proceedures regarding keys strikes > me as much closer to the security theater end of the spectrum, while > efforts like Reproducible Builds are at the general resilience end. One could just do both. I think I have seen, for example, automated external defibrillators in public buildings like airports. > If I were a sociopath contemplating sabotage in the Free Software > sphere, going to the effort of becoming a DD, even for the first time, > would be nowhere near the top of my list. > > Does DAM actually have any cases at all where they suspect a previously > expelled DD of trying to sneak back into the project under a new ID? > > If not, then either our proceedures are already broken enough that > temproarily slackening keysigning protocols won't make the slightest > difference, or the threat is probably not worth worrying about. If a fire alarm wasn't triggered by a fire for some time, should it be removed? Maybe the procedures just work reasonably well. Ansgar
