Some have rolled their eyes at the "paranoid" requirement from the #Debian community of in-person gpg key signing as a step to become a Debian developer, and it's often been a real barrier.
But I'm reminded of it at the #OSSummit keynote today as the #Linux Foundation's Jim Zemlin talks about the xz vulnerability and identity verification of developers.
It was never paranoia. It doesn't solve everything, and people can still be dishonest, but it was never excessive paranoia.
@pleia2 @ariadne I guess the concern would be that a nation state actor with significant resources has much *more* of an ability to deal with most of those barriers than a genuine volunteer contributor usually does.
(While someone without such resources mostly isn't going to be doing an elaborate long-term attack like this.)
So it's not paranoid, but it's unclear how much it would help.
@waldi @ids1024 @pleia2 does it though? i am sure an alphabet soup agency can just designate one physical person to run point on any in-person interactions with the APT.
i guess i am just not convinced that this has any meaningful defense against APTs who can likely issue fake travel docs any time they want.
what the cross-signing *does* help with is ensuring that no single party controls all of the signing keys used for Debian. but in practice, the reason why that is important is largely tied to how Debian-like distributions ingest source code to create debs.
(and nothing stops an APT from just going through mentors.debian.org just like nothing stops an APT from just submitting PRs to aports and finding a useful person to unwittingly merge them into Alpine)
Elizabeth K. Joseph
Ariadne Conill 🐰
Ian Douglas Scott
waldi