LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Verification of Debian Developer identity

Verification of Debian Developer identity

Posted Jul 13, 2010 19:36 UTC (Tue) by jrn (subscriber, #64214)
In reply to: Debian declassification delayed by tialaramex
Parent article: Debian declassification delayed

I’m not sure why anyone should care, but it is still a requirement modulo one exception (an enforced one, if you want to nitpick) for contributors to have their gpg key signed by an existing DD before becoming a new DD themselves. It is a convention, not enforced but certainly not in name only, that DDs follow the usual looking-at-photo-id procedure when signing gpg keys.

As an aside, I find your tone puzzling.

(Log in to post comments)

Verification of Debian Developer identity

Posted Jul 16, 2010 9:41 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

That requirement makes it impossible to be an _anonymous_ Debian Developer, but not to be a _pseudonymous_ one which is why I chose the wording I did.

The requirement (the one other Debian Developers can see being enforced) is just that each member has an OpenPGP key with at least one identity signed by another Debian Developer.

Perhaps if Debian was created today, it would be required that the signed identity be a photographic image of the face (the necessary PGP features did not exist when Debian was created). A poor identifier, but one that's fairly verifiable. In reality, as I understand it, the main identifier for Debian Developers is an email address, since that's how most discussion is undertaken. Usually the address is associated with a name, and someone might ("by convention") check that the name vaguely matches one shown on some official looking photo ID (e.g. they'd sign "Bill Thomson" based on photo ID in the name "William Thompson"). That's just not a high enough barrier to use words like "impossible".

Fake identity documents are commonplace, particularly in jurisdictions where they are abused as licenses (e.g. to permit purchasing alcoholic beverages, tobacco, pharmaceuticals or firearms). Debian isn't an organisation of highly trained forensic experts, but of Free Software hackers. So we cannot expect miracles of detective work.

As to my tone, as usual there's no hidden agenda here, I'd scoff just as much if someone told me Microsoft's Windows division could keep secrets for five years. Only small groups, on whom secrecy of a particular matter is impressed as utterly critical, can be expected to keep secrets for more than a short while. Ultra is an example often cited - few people had routine access to Ultra, though more knew of its existence at least tangentially. Ultra was kept secret for the remaining duration of the war and perhaps 10 years or so beyond, but by the 1970s people were writing about it in memoirs of the war. Those told about Ultra were mostly military personnel, and it was clear lives were at stake. I'm not pretending the DDs are all gossips, straight over to a neighbour to tell them the latest, but only that it would be quite extraordinary to think of a secret that mustn't be public in five years time, but can be told to 1000 of these essentially random people from around the world.

(and moreover, told to them via unsecured SMTP email...)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds