discuss: Contacting TLDP authors. Share your thoughts.
Subject:
Re: [discuss] Contacting TLDP authors. Share your thoughts.
From:
Rick Moen ####@####.####
Date:
23 Sep 2008 23:15:54 +0100
Message-Id: <20080923221551.GB32320@linuxmafia.com>
Quoting Svetoslav P. Chukov ####@####.####
> Another question. How we could authenticate the authors?
IMO, absolutely authenticating people is beyond the scope of what LDP can
reasonably do, and trying is not necessary or particularly useful.
Even attempting to maintain a gpg web of trust w/keyring or keyserver a
la Debian would not be sufficient to prove anyone's identity: It would
merely give high confidence that subsequent contacts are from the same
person who first claimed to be a document's author -- _but_ you have no
reasonably confidence that the first person wasn't someone else
masquerading as the author.
Scenario: LDP attempts to chase down the author of a document, Mr. John
Q. Smith. The former e-mail address doesn't work, so we use logic,
Web-searching, and inquires to find a new address that we guess is
probably the same John Q. Smith, and send an inquiry asking "Are you the
same John Q. Smith who wrote the Foo HOWTO?" Unbeknownst to us, Mr.
Moriarty has access to this John Q. Smith's e-mail and falsely, to cause
mischief, replies "Yes, I wrote the Foo HOWTO. Thank you. Here's my
gpg key." When the real John Q. Smith later claims LDP "violates his
rights", LDP is really no better off -- except it's spent scarce
volunteer help resources building up an overengineered authentication
system that actually doesn't help.
I would suggest, instead, just using reasonable prudence and acting in
good faith. The very worst that's likely to happen is a brief
accidental granting of access to the wrong person, followed by reversion
and life resuming uninterrupted.
