The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC: Proposal for signed packages

This is a good proposal, but not enough.  If I sign a package, I only
vouch for two things.  First, I have verified the PGP signature of the
maintainer.  Second, this is a genuine Debian package that was
downloaded from master.debian.org, and not some package
surreptitiously introduced elsewhere.

But, I do not vouch that that the maintainer exists, or that the
maintainer is not a bad person.

We really can't do anything about evil cracker maintainers, but we
have to be absolutely sure that the maintainer exists.  The threat of
our knowing exactly who did it will prevent anyone from introducing a
trojan horse.

So all developers make a concerted effort to get other PGP users to
sign your key.  I've forgotten who, but somebody offered the services
of their company's personal verfication services gratis.  Perhaps we
should all at least do that.  Do you guys sign PGP keys after calling
the person up and verifying personal info?


Guy


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com