[aur-general] GPG Key Signing
Thomas Dziedzic
gostrc at gmail.com
Thu Dec 1 10:08:39 EST 2011
On Thu, Dec 1, 2011 at 8:21 AM, Thomas Bächler <thomas at archlinux.org> wrote:
> Am 01.12.2011 12:19, schrieb Xyne:
>> I'm in the process of getting my key signed (Pierre has signed, Thomas and
>> Ionut should sign soon, not sure if Dan will sign due to not knowing my real
>> name).
>
> Dan's way isn't just about knowing the realname. He wants to verify that
> the name is correct.
>
> I can't believe that we are having the identity verification discussion
> again, but here is what I believe: You have been elected TU (or
> Developer) and thus I trust your key. Knowing (or not knowing) your real
> name doesn't change anything. In fact, I did not verify names for anyone.
>
> What's important to me: If I find out that you release packages that are
> harmful in any way, I can revoke my signature and block your packages
> from being installed. Knowing your real name does not make that easier,
> or prevent you from doing harmful things in the first place.
>
I do find it kind of abnormal that a TU does want to retain his real name.
There may be legitimate reasons for doing this or not, I don't know.
But I also have to agree with Thomas on this one.
I don't think anyone has actually verified that any of the given names
are real names.
What's important is that you're verified that you use the key to sign
your packages in case someone does get compromised or decides to go
rogue, then we will have a way to easily track which packages should
become void.
More information about the aur-general
mailing list