oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: upstream source code authenticity checking

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 02 May 2013 13:54:52 -0700
On 05/ 2/13 11:10 AM, Russ Allbery wrote:

I routinely do this.  It's called a key-signing party.  The only trust
that I am expressing with that signature is that I have seen and verified,
to the best of my ability, some form of reliable identification for that
person (ideally a passport I can verify, or a social environment in which
it would be very difficult to impersonate someone you are not) in
combination with a proof that the key I signed belongs to the person whose
identification I checked.


Though for many open source projects, having a passport or other government
id is not the sort of identity we care about - knowing that you're the
person who does git/hg commits under that e-mail address is what we care
about - if it's a pseudonym that doesn't match your passport, that doesn't
affect whether we accept code from you or not.   (The lawyers might care,
when it comes to verifying who owns copyright and agreed to release code
under a given license, but that's a whole separate mess to unravel.)

--
        -Alan Coopersmith-              alan.coopersmith () oracle com
         Oracle Solaris Engineering - http://blogs.oracle.com/alanc
Previous By Date Next
Previous By Thread Next

Current thread: