| 1 |
Corey Shields <cshields@g.o> wrote: |
| 2 |
(07/30/2003 10:24) |
| 3 |
|
| 4 |
Sorry about the delay in responding. My firewall/mailserver was down with hardware issues. |
| 5 |
|
| 6 |
>On Wed, 2003-07-30 at 11:46, Fred Van Andel wrote: |
| 7 |
>> I think some people are getting too hung up on the identity thing. |
| 8 |
>> |
| 9 |
>> Within the context of the gentoo community does it matter what the real name of someone is? The only identity that ultimately matters is the identity that has cvs access, and to a lesser extent the identity that appears on irc. |
| 10 |
> |
| 11 |
>If someone decides to use a different identity online, that's cool. |
| 12 |
>However, they shouldn't take offense to the rest of us signing each |
| 13 |
>others keys. |
| 14 |
> |
| 15 |
><snip> |
| 16 |
> |
| 17 |
>> To me a signature on a gentoo address means that I am verifying that this identity is a gentoo developer, and I don't need to see government ID for that. In fact official ID gets in the way. I know carpaski is a gentoo developer, but I don't know that this particular individual who is presenting me with ID that says "Nicolas Jones" is in fact carpaski. He could be a completely different "Nicolas Jones" and I have no way of telling them apart. |
| 18 |
> |
| 19 |
>Some of us use the gentoo.org address as a secondary UID on our primary |
| 20 |
>gpg key. Therefore, I would rather know that who I am signing (and visa |
| 21 |
>versa) is the identity of that person. Best way to do that is with a |
| 22 |
>photo ID. |
| 23 |
|
| 24 |
In my case I have created a seperate key for my gentoo email address so that the key can be signed/revoked without affecting my main email address. |
| 25 |
|
| 26 |
>If you have a solution for signing keys of people with identities that |
| 27 |
>are not their own, maybe that should be used for those people. |
| 28 |
|
| 29 |
My point is that there gentoo identity is the one that matters, their real identity is irrelevant to gentoo. As far as gentoo is concerned there is only one identity. |
| 30 |
|
| 31 |
If carpaski were to place his key in his protected directory on dev.g.o I would be confindant that it is his key (root manipulations aside). The presenance of carpaski's key however tells me nothing about Nicolas Jones, that would require more conventional proof. |
| 32 |
|
| 33 |
>> I realize this might piss off some and I am sorry, but this has been bothering me for some time and I want to vent. |
| 34 |
> |
| 35 |
>No, not at all.. kind of expected some fallout when I posted the |
| 36 |
>idea. There are a few of us who will be signing our keys when we meet |
| 37 |
>at LWE, and so we just wanted to extend the invitation to anyone else in |
| 38 |
>the gentoo community. |
| 39 |
|
| 40 |
I have absolutely no objection to key signings, my objection is within gentoo they are not strictly necessary. The requirement for confirming physical ID's will not be easy since we are a global orginization. The infrastructure changes that are coming regarding signing and verifying ebuilds and such will be hard to set in place unless everyones signes and is signed. |
| 41 |
|
| 42 |
Fred Van Andel |
| 43 |
fava@g.o |
| 44 |
GPG KeyID: 76526AD599455482 |
| 45 |
GPG fingerprint: 64E4 4BAB 9C99 D565 3E3C F5D0 7652 6AD5 9945 5482 |
| 46 |
|
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-dev@g.o mailing list |
Archives