Elizabeth K. JosephApr 16, 2024

Some have rolled their eyes at the "paranoid" requirement from the #Debian community of in-person gpg key signing as a step to become a Debian developer, and it's often been a real barrier.

But I'm reminded of it at the #OSSummit keynote today as the #Linux Foundation's Jim Zemlin talks about the xz vulnerability and identity verification of developers.

It was never paranoia. It doesn't solve everything, and people can still be dishonest, but it was never excessive paranoia.

Show threadRick Troth

@pleia2
There's no substitute for in-person vetting. Fortunately, with PGP< one can sign the public keys of others, adding assurance for not-in-person trust.

What @[email protected] says is true. But that's a known aspect of public key trust: it cannot prove the integrity of the key owner, merely assure the identity. One then must recognize good/bad behavior of that actor and take note.

Apr 17, 2024 at 12:24amWeb