On Mon, May 23, 2022 at 6:28 PM Adam McKenna <a...@flounder.net> wrote: > > > i believe the answer is in the question. debian is based on distributed > > trust. i did the analysis (took 3 weeks): it is literally the only distro > > in the world with an inviolate chain of trust from a large keyring dating > > back 20 years that is itself GPG-signed as a package, with a package > > distribution chain from source where all components within the chain up to > > release are unbroken and inviolate. > > This is not an answer to the question though, OP was asking how we prevent > abuse of that trust.
reputation, and potentially criminal and civil proceedings. all identities are known, and inviolate-known [through the above-described chain]. anyone stupid enough to abuse their position may only do so once, at which point their GPG key is revoked. given that GPG key-signing parties require people's real-world identities to be known, it is easy to track down who signed whose key (it's right there in the keyring-archive], and request that the signer provide assistance to the relevant authorities in proving that real-world identity. this will sufficiently piss off those people that trusted them that they will be unlikely to work with them ever again [reputation] in addition there is the Debian Trademark which if brought into disrepute through abuse could be utilised to seek damages against the perpetrator. bottom line is that it would be a spectacularly stupid thing to do to violate the trust and responsibility of being a Debian Maintainer, and the really interesting bit to me is that this all works in an entirely distributed manner and can all entirely be done entirely without a single centralised authority, i.e. *not* having to trust f*****g google or f*****g github with anyone's real-world identity in any way shape or form. l.
