[SGVLUG] any Debian developers in the area / keysigning for prospective debian developer
John Kreznar
jek at ininx.com
Sun Mar 2 18:40:55 PST 2014
In a posting lacking a digital signature, it is written:
> On Mar 1, 2014, at 1:35 PM, John Kreznar <jek at ininx.com> wrote:
>> The physical meeting, their "ID", and their word add nothing to the
>> assurance you get by verifying their signature on something. The key
>> IS the relevant ID.
> Agreed, in the digital world, the key is the ID.
> But there's always the question of what the key is supposed to
> represent. Does Debian actually want it to represent real people who
> are legally responsible for claims they make about code, or merely a
> unique author identity?
Here's a statement of what Debian wants, from debian-keyring README [1]:
The Debian project wants developers to digitally sign the
announcements of their packages, to protect against forgeries.
And of course, FOSS packages are usually replete with disclaimers of
legal warranty.
Signing a software package with a GPG key works just fine for this
purpose, especially if that key has gained positive reputation in prior
general correspondence.
> Does a trusting user merely want a unique ID for a pen-pal, or
> something more?
Not sure how this bears.
[1] /usr/share/doc/debian-keyring/README.gz on Debian systems
--
OpenPGP key: http://ininx.com
John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20140302/554596cb/attachment.pgp>
More information about the SGVLUG
mailing list