[SGVLUG] any Debian developers in the area / keysigning for prospective debian developer
Henry B Hotz
hbhotz at oxy.edu
Sun Mar 2 19:19:09 PST 2014
"Trust" is tricky. I was trying to list extremes.
Thanks for the Debian reference. That makes things concrete.
On Mar 2, 2014, at 6:40 PM, John Kreznar <jek at ininx.com> wrote:
> In a posting lacking a digital signature, it is written:
>
>> On Mar 1, 2014, at 1:35 PM, John Kreznar <jek at ininx.com> wrote:
>
>>> The physical meeting, their "ID", and their word add nothing to the
>>> assurance you get by verifying their signature on something. The key
>>> IS the relevant ID.
>
>> Agreed, in the digital world, the key is the ID.
>
>> But there's always the question of what the key is supposed to
>> represent. Does Debian actually want it to represent real people who
>> are legally responsible for claims they make about code, or merely a
>> unique author identity?
>
> Here's a statement of what Debian wants, from debian-keyring README [1]:
>
> The Debian project wants developers to digitally sign the
> announcements of their packages, to protect against forgeries.
>
> And of course, FOSS packages are usually replete with disclaimers of
> legal warranty.
>
> Signing a software package with a GPG key works just fine for this
> purpose, especially if that key has gained positive reputation in prior
> general correspondence.
>
>> Does a trusting user merely want a unique ID for a pen-pal, or
>> something more?
>
> Not sure how this bears.
>
> [1] /usr/share/doc/debian-keyring/README.gz on Debian systems
>
> --
> OpenPGP key: http://ininx.com
> John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13
>
Personal email. hbhotz at oxy.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20140302/64f83635/attachment.html>
More information about the SGVLUG
mailing list