XPost: linux.debian.project, linux.debian.security

On 17/04/2022 19:26, Satvik Sinha wrote:

abusing your OS's reputation?

i believe the answer is in the question. debian is based on distributed trust. i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is itself GPG-
signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate.

take ubuntu for example: whilst it has the exact same technology the size of the developer pool, comprising the web of trust, is both much smaller and also controlled by one Corporation: Canonical. Canonical says "jump", the developers ask "how high".

take Suse, Fedora etc: their RPM packages break the chain of trust by failing to properly include a GPG Signature of the Release (i do not recall the exact details, i did the analysis 4 years ago)

take Archlinux: their community is vulnerable to unverified github repositories being abandoned, a hacker re-registering them, and a trojan uploaded and distributed automatically.

i won't even bother going into the absolute moronic practice of "trusting" HTTPS: node, pypi, etc should be blindingly obviously untrustworthy, with the website being a prime hacking target if nothing else.

even GNU packages are hopelessly inadequately secure as far as social engineering and hacking are concerned.

debian is not a single centralised repository, it is controlled by no-one. you have to compromise hundreds of independent developers before you make any headway, and as a result it was trusted by e.g. the Venezuelan Government as the basis for their own
distro, many years ago.

there is not even a centralised dependency on a website: packages may be securely distributed by Carrier Pigeon or printed out on paper and OCR scanned if you really want to because there is a full GPG Chain and Checksums, right back to the source code.

and that (GPG Chains) basically, is the key. anyone stupid enough to do something stupid is going to be throwing away their reputation, not just within the debian project as a maintainer, but for life.

you abuse your position as a maintainer by putting in trojan code, because that trojan package had to be GPG Signed, you have to make a *public and irreversible declaration* which will remain in historical archives for the rest of your life and beyond.

this would result in catastrophic consequences for not just their involvement in debian (which would be terminated with prejudice), but because their GPG Signature on the trojan package is public, inviolate and irrevocable, it would also have
catastrophic consequences for their career in IT because nobody would ever trust them in a position of responsibility, ever again. they'd be flipping burgers for the rest of their life.

fundamentally, then, you are assuming that there is "one controller of debian", which is false. there are literally hundreds of *independent* developers, all of whom know their responsibility, all of whom know that they have all other independent
developers keeping an eye on them.

this makes debian pretty much the only distro that could be trusted to remain true to humanity and to its principles and its charter. even when some of them (you know who you are) are when it comes down to it not very nice people, they can at least be
trusted to do the right thing.

l.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Oh

On Mon, 18 Apr 2022, 00:00 Daniel Pocock, <daniel@pocock.pro> wrote:

On 17/04/2022 19:26, Satvik Sinha wrote:

Hi,guys and Good Day! So in recent days ,it was observed that many open source contributors vandalised their or someone else's project's reputation to show agendas of Russia-Ukraine war, Some even vandalised their project to destroy system in Russia and Belarus (Node-ipc being
one of them) that affected many people and their trust on open-source software. So I wanted to ask How safe is Debian doing right now and how will you guys prevent contributors pushing such malicious code into your software and how will you detect a software getting vandalised to showed Anti-war agenda by abusing your OS's reputation?

If there are backdoors in Debian then they are harder to detect. Large intelligence agencies aim for plausible deniability. Look at the
infamous OpenSSL vulnerability[1]. After investing so much time
planting agents and backdoors in Debian, they will not want to blow
their cover by doing something so brash.

There has recently been evidence on Debian Community News about some
cases, for example:

Paul Tagliamonte and Sam Hartman and their Pentagon connections, with
photos

Jonathan Wiltshire and Chris Lamb having GCHQ proximity, with a map

There are approximately 1000 Debian Developers and when one of us makes
an upload, there is no obligation for somebody else to check it. On the other hand, there is a period of days or weeks before new uploads can propagate to stable systems. This may make it more robust if you only
use stable.

debian-project@lists.debian.org is now being censored to stop
discussions like this about Debian integrity.

Regards,

Daniel

1.

https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/

--
Debian Developer
https://danielpocock.com

<div dir="auto">Oh</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 18 Apr 2022, 00:00 Daniel Pocock, &lt;<a href="mailto:daniel@pocock.pro">daniel@pocock.pro</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="
margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
On 17/04/2022 19:26, Satvik Sinha wrote:<br>
&gt; Hi,guys and Good Day! So in recent days ,it was observed that many open<br>
&gt; source contributors vandalised their or someone else&#39;s  project&#39;s<br>
&gt; reputation to show agendas of Russia-Ukraine war, Some even vandalised<br> &gt; their project to destroy system in Russia and Belarus (Node-ipc being<br> &gt; one of them) that affected many people and their trust on open-source<br> &gt; software. So I wanted to ask How safe is Debian doing right now and how<br>
&gt; will you guys prevent contributors pushing such malicious code into your<br>
&gt; software and how will you detect a software getting vandalised to showed<br>
&gt; Anti-war agenda by abusing your OS&#39;s reputation?<br>

If there are backdoors in Debian then they are harder to detect.  Large<br> intelligence agencies aim for plausible deniability.  Look at the<br>
infamous OpenSSL vulnerability[1].  After investing so much time<br>
planting agents and backdoors in Debian, they will not want to blow<br>
their cover by doing something so brash.<br>

There has recently been evidence on Debian Community News about some<br>
cases, for example:<br>

Paul Tagliamonte and Sam Hartman and their Pentagon connections, with photos<br>

Jonathan Wiltshire and Chris Lamb having GCHQ proximity, with a map<br>

There are approximately 1000 Debian Developers and when one of us makes<br>
an upload, there is no obligation for somebody else to check it.  On the<br> other hand, there is a period of days or weeks before new uploads can<br> propagate to stable systems.  This may make it more robust if you only<br>
use stable.<br>

<a href="mailto:debian-project@lists.debian.org" target="_blank" rel="noreferrer">debian-project@lists.debian.org</a> is now being censored to stop<br>
discussions like this about Debian integrity.<br>

Regards,<br>

Daniel<br>

1.<br>
<a href="https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/" rel="noreferrer noreferrer" target="_blank">https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/</a><br>

-- <br>
Debian Developer<br>
<a href="https://danielpocock.com" rel="noreferrer noreferrer" target="_blank">https://danielpocock.com</a><br>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.project, linux.debian.security

i did the analysis (took 3 weeks)

Do you have a publication of that analysis? I was thinking the same
about the organization of Debian for some time but never did analysis
or compared it to other distros.

Also I like to add that reproducible builds are an excellent addition
to the mechanisms you are describing.

Regards

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.project, linux.debian.security

i believe the answer is in the question. debian is based on distributed

trust. i did the analysis (took 3 weeks): it is literally the only distro
in the world with an inviolate chain of trust from a large keyring dating
back 20 years that is itself GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate.

This is not an answer to the question though, OP was asking how we prevent abuse of that trust.

On Sun, Apr 17, 2022 at 12:42 PM lkcl <luke.leighton@gmail.com> wrote:

On 17/04/2022 19:26, Satvik Sinha wrote:

abusing your OS's reputation?

i believe the answer is in the question. debian is based on distributed trust. i did the analysis (took 3 weeks): it is literally the only distro
in the world with an inviolate chain of trust from a large keyring dating back 20 years that is itself GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate.

take ubuntu for example: whilst it has the exact same technology the size
of the developer pool, comprising the web of trust, is both much smaller
and also controlled by one Corporation: Canonical. Canonical says "jump",
the developers ask "how high".

take Suse, Fedora etc: their RPM packages break the chain of trust by
failing to properly include a GPG Signature of the Release (i do not recall the exact details, i did the analysis 4 years ago)

take Archlinux: their community is vulnerable to unverified github repositories being abandoned, a hacker re-registering them, and a trojan uploaded and distributed automatically.

i won't even bother going into the absolute moronic practice of "trusting" HTTPS: node, pypi, etc should be blindingly obviously untrustworthy, with
the website being a prime hacking target if nothing else.

even GNU packages are hopelessly inadequately secure as far as social engineering and hacking are concerned.

debian is not a single centralised repository, it is controlled by no-one. you have to compromise hundreds of independent developers before you make
any headway, and as a result it was trusted by e.g. the Venezuelan
Government as the basis for their own distro, many years ago.

there is not even a centralised dependency on a website: packages may be securely distributed by Carrier Pigeon or printed out on paper and OCR scanned if you really want to because there is a full GPG Chain and Checksums, right back to the source code.

and that (GPG Chains) basically, is the key. anyone stupid enough to do something stupid is going to be throwing away their reputation, not just within the debian project as a maintainer, but for life.

you abuse your position as a maintainer by putting in trojan code, because that trojan package had to be GPG Signed, you have to make a *public and irreversible declaration* which will remain in historical archives for the rest of your life and beyond.

this would result in catastrophic consequences for not just their
involvement in debian (which would be terminated with prejudice), but
because their GPG Signature on the trojan package is public, inviolate and irrevocable, it would also have catastrophic consequences for their career
in IT because nobody would ever trust them in a position of responsibility, ever again. they'd be flipping burgers for the rest of their life.

fundamentally, then, you are assuming that there is "one controller of debian", which is false. there are literally hundreds of *independent* developers, all of whom know their responsibility, all of whom know that
they have all other independent developers keeping an eye on them.

this makes debian pretty much the only distro that could be trusted to
remain true to humanity and to its principles and its charter. even when
some of them (you know who you are) are when it comes down to it not very nice people, they can at least be trusted to do the right thing.

l.

<div dir="ltr">&gt;

i believe the answer is in the question. <span class="gmail-il">debian</span> is based on distributed trust.  i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating
back 20 years that is itself GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate.<div><br></div><div>This is not an answer to the question though, OP was
asking how we prevent abuse of that trust.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Apr 17, 2022 at 12:42 PM lkcl &lt;<a href="mailto:luke.leighton@gmail.com">luke.leighton@gmail.com</a>&gt; wrote:<br></div><
blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>

On 17/04/2022 19:26, Satvik Sinha wrote:<br>

&gt; abusing your OS&#39;s reputation?<br>

i believe the answer is in the question. debian is based on distributed trust.  i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is itself GPG-
signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate.<br>

take ubuntu for example: whilst it has the exact same technology the size of the developer pool, comprising the web of trust, is both much smaller and also controlled by one Corporation: Canonical. Canonical says &quot;jump&quot;, the developers ask &
quot;how high&quot;.<br>

take Suse, Fedora etc: their RPM packages break the chain of trust by failing to properly include a GPG Signature of the Release (i do not recall the exact details, i did the analysis 4 years ago)<br>

take Archlinux: their community is vulnerable to unverified github repositories being abandoned, a hacker re-registering them, and a trojan uploaded and distributed automatically.<br>

i won&#39;t even bother going into the absolute moronic practice of &quot;trusting&quot; HTTPS: node, pypi, etc should be blindingly obviously untrustworthy, with the website being a prime hacking target if nothing else.<br>

even GNU packages are hopelessly inadequately secure as far as social engineering and hacking are concerned.<br>

debian is not a single centralised repository, it is controlled by no-one. you have to compromise hundreds of independent developers before you make any headway, and as a result it was trusted by e.g. the Venezuelan Government as the basis for their own
distro, many years ago.<br>

there is not even a centralised dependency on a website: packages may be securely distributed by Carrier Pigeon or printed out on paper and OCR scanned if you really want to because there is a full GPG Chain and Checksums, right back to the source code.<


and that (GPG Chains) basically, is the key.  anyone stupid enough to do something stupid is going to be throwing away their reputation, not just within the debian project as a maintainer, but for life.<br>

you abuse your position as a maintainer by putting in trojan code, because that trojan package had to be GPG Signed, you have to make a *public and irreversible declaration* which will remain in historical archives for the rest of your life and beyond.<


this would result in catastrophic consequences for not just their involvement in debian (which would be terminated with prejudice), but because their GPG Signature on the trojan package is public, inviolate and irrevocable, it would also have
catastrophic consequences for their career in IT because nobody would ever trust them in a position of responsibility, ever again. they&#39;d be flipping burgers for the rest of their life.<br>

fundamentally, then, you are assuming that there is &quot;one controller of debian&quot;, which is false.  there are literally hundreds of *independent* developers, all of whom know their responsibility, all of whom know that they have all other
independent developers keeping an eye on them.<br>

this makes debian pretty much the only distro that could be trusted to remain true to humanity and to its principles and its charter. even when some of them (you know who you are) are when it comes down to it not very nice people, they can at least be
trusted to do the right thing.<br>

l.<br>



</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, May 23, 2022 at 07:22:40PM +0100, lkcl wrote:

i believe the answer is in the question. debian is based on distributed trust. i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is

itself GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate.

This is not an answer to the question though, OP was asking how we prevent abuse of that trust.

reputation, and potentially criminal and civil proceedings.

all identities are known, and inviolate-known [through the
above-described chain].

(there is no mechanism to tie a GPG key to an actual person or to find who actually did the signing)

anyone stupid enough to abuse their position may only do so once, at which point their GPG key is revoked.

(only after the abuse is found)

given that GPG key-signing parties require people's real-world identities
to be known,

(depends on your definition of "people's real-world identities")

it is easy to track down who signed whose key (it's right
there in the keyring-archive], and request that the signer provide assistance to the relevant authorities in proving that real-world identity.

(doubtful, considering how GPG key-signing parties actually work)

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmKL144tFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh D28P+waYPf2o26sbqF51ClIEZgiDMCNGqS6MmMFOjnZ2P5TqmA+KjBnS3ckptA4p 6Em4ZGcM6VatPGYZlurx6L1ODfDi8r+zcf0WBJMM3DA1zBJgVi7H3SFU4MCEgBs4 XfteSWEi5GoLlaFrxP9HaaOFRWSZEDemohcxqJBWiDShzrweiy1JTB8Z2dj316Ck jKtL/9k54C7gu2WM1BJhUH11Q9SfuxZ1pFGu6Wswz3wbdsbm0r7hOU908eqVOl48 kFzozNvqDKdOYCnEPOXIyhr2FrJ+SIiEvhQ3XKMM0BpHYnIMJjCFHJwy6khkc3J0 RhecP7GbPaVG1ybVXkCPgmtQ7kKGP1oKWoqb3U6OCdoPfEGUHZWlqExRouwtI/f8 rl1s4lGAVu70uYvGvZM0/g/Jmz+agXVFkPpIjIC+/UQ7nGlJ0swlhTeP09a1kDkO YflMlwIVctpRyI7tVtE6/Dc543uHDGTGgK5gv/D4FK8m4EUXoH2B7pwCzybidMg3 3tfz6TcGkrJY7AuwvHh9VCp21AqqurylcgvY7kh4DpzdpPqpQM7aehnA+j1jY+F/ qwWgy37+EfRHi0/zk1nh1LHbzvlqaMo5XWs4ybNmr7GKJRQJ8P3zQrYMc91FNWeT 5sMO/ZkDLmSKXaOASLeMBUyqIdKXbVrFem8zwpj2GrrV1KTC
=SNYN
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.project, linux.debian.security

On Mon, May 23, 2022 at 6:28 PM Adam McKenna <adam@flounder.net> wrote:

i believe the answer is in the question. debian is based on distributed trust. i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is itself

GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate.

This is not an answer to the question though, OP was asking how we prevent abuse of that trust.

reputation, and potentially criminal and civil proceedings.

all identities are known, and inviolate-known [through the
above-described chain].
anyone stupid enough to abuse their position may only do so once, at which point their GPG key is revoked.

given that GPG key-signing parties require people's real-world identities
to be known, it is easy to track down who signed whose key (it's right
there in the keyring-archive], and request that the signer provide assistance to the relevant authorities in proving that real-world identity.

this will sufficiently piss off those people that trusted them that they will be unlikely to work with them ever again [reputation]

in addition there is the Debian Trademark which if brought into disrepute through abuse could be utilised to seek damages against the perpetrator.

bottom line is that it would be a spectacularly stupid thing to do to violate the trust and responsibility of being a Debian Maintainer, and the really interesting bit to me is that this all works in an entirely distributed manner and can all entirely be done entirely without a single centralised authority, i.e. *not* having to trust f*****g google or f*****g github with anyone's real-world identity in any way shape or form.

l.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.project, linux.debian.security

anyone stupid enough to abuse their position may only do so once, at

which point their GPG key is revoked.

You are talking about a deterrent though. I think the question is, what if someone cares more about their political cause than retaining their
uploader access?

What if someone's keys are compromised and an attacker uploads a
compromised package?

Do we have ways of detecting these breaches or do we rely solely on user reports?

On Mon, May 23, 2022 at 11:22 AM lkcl <luke.leighton@gmail.com> wrote:

On Mon, May 23, 2022 at 6:28 PM Adam McKenna <adam@flounder.net> wrote:

i believe the answer is in the question. debian is based on

distributed trust. i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is itself GPG-signed as a package, with a package distribution chain from source where all components within the
chain up to release are unbroken and inviolate.

This is not an answer to the question though, OP was asking how we

prevent abuse of that trust.

reputation, and potentially criminal and civil proceedings.

all identities are known, and inviolate-known [through the
above-described chain].
anyone stupid enough to abuse their position may only do so once, at which point their GPG key is revoked.

given that GPG key-signing parties require people's real-world identities
to be known, it is easy to track down who signed whose key (it's right
there in the keyring-archive], and request that the signer provide
assistance
to the relevant authorities in proving that real-world identity.

this will sufficiently piss off those people that trusted them that they
will
be unlikely to work with them ever again [reputation]

in addition there is the Debian Trademark which if brought into disrepute through abuse could be utilised to seek damages against the perpetrator.

bottom line is that it would be a spectacularly stupid thing to do to
violate
the trust and responsibility of being a Debian Maintainer, and the really interesting bit to me is that this all works in an entirely distributed manner
and can all entirely be done entirely without a single centralised
authority,
i.e. *not* having to trust f*****g google or f*****g github with anyone's real-world identity in any way shape or form.

l.

<div dir="ltr">&gt;

anyone stupid enough to abuse their position may only do so once, at which point their GPG key is revoked.<div><br></div><div>You are talking about a deterrent though.  I think the question is, what if someone cares more about their political cause than
retaining their uploader access?</div><div><br></div><div>What if someone&#39;s keys are compromised and an attacker uploads a compromised package?</div><div><br></div><div>Do we have ways of detecting these breaches or do we rely solely on user reports?<
/div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 23, 2022 at 11:22 AM lkcl &lt;<a href="mailto:luke.leighton@gmail.com" target="_blank">luke.leighton@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, May 23, 2022 at 6:28 PM Adam McKenna &lt;<a href="mailto:adam@flounder.net" target="_blank">adam@flounder.net</a>&gt; wrote:<br>
&gt;<br>
&gt; &gt; i believe the answer is in the question. debian is based on distributed trust.  i did the analysis (took 3 weeks): it is literally the only distro in the world with an inviolate chain of trust from a large keyring dating back 20 years that is
itself GPG-signed as a package, with a package distribution chain from source where all components within the chain up to release are unbroken and inviolate.<br>
&gt;<br>
&gt; This is not an answer to the question though, OP was asking how we prevent abuse of that trust.<br>

reputation, and potentially criminal and civil proceedings.<br>

all identities are known, and inviolate-known [through the<br>
above-described chain].<br>
anyone stupid enough to abuse their position may only do so once, at which<br> point their GPG key is revoked.<br>

given that GPG key-signing parties require people&#39;s real-world identities<br>
to be known, it is easy to track down who signed whose key (it&#39;s right<br> there in the keyring-archive], and request that the signer provide assistance<br>
to the relevant authorities in proving that real-world identity.<br>

this will sufficiently piss off those people that trusted them that they will<br>
be unlikely to work with them ever again [reputation]<br>

in addition there is the Debian Trademark which if brought into disrepute<br> through abuse could be utilised to seek damages against the perpetrator.<br>

bottom line is that it would be a spectacularly stupid thing to do to violate<br>
the trust and responsibility of being a Debian Maintainer, and the really<br> interesting bit to me is that this all works in an entirely distributed manner<br>
and can all entirely be done entirely without a single centralised authority,<br>
i.e. *not* having to trust f*****g google or f*****g github with anyone&#39;s<br>
real-world identity in any way shape or form.<br>

l.<br>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.project, linux.debian.security

they get one and only one chance to do something that stupid.

So the answer is that we have no way of preventing a developer from intentionally sabotaging a package in any / as many ways as they choose and
the only risk to them is losing their uploader access after the fact?

the response is swift: there was a debian developer wrongfully arrested

for running a TOR exit node. their key was revoked immediately.

How was this incident detected?


On Mon, May 23, 2022 at 12:07 PM lkcl <luke.leighton@gmail.com> wrote:

On Mon, May 23, 2022 at 7:59 PM Adam McKenna <adam@flounder.net> wrote:

You are talking about a deterrent though. I think the question is,
what if someone cares more about their political cause than
retaining their uploader access?

they get one and only one chance to do something that stupid.

What if someone's keys are compromised

the response is swift: there was a debian developer wrongfully
arrested for running a TOR exit node. their key was revoked
immediately.

l.

<div dir="ltr">&gt;

they get one and only one chance to do something that stupid.<div><br></div><div>So the answer is that we have no way of preventing a developer from intentionally sabotaging a package in any / as many ways as they choose and the only risk to them is
losing their uploader access after the fact?</div><div><br></div><div>&gt;the response is swift: there was a debian developer wrongfully arrested for running a TOR exit node. their key was revoked immediately.</div><div><br></div><div>How was this
incident detected?<br><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 23, 2022 at 12:07 PM lkcl &lt;<a href="mailto:luke.leighton@gmail.com">luke.leighton@gmail.com</a>&gt; wrote:<br></div><blockquote
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, May 23, 2022 at 7:59 PM Adam McKenna &lt;<a href="mailto:adam@flounder.net" target="_blank">adam@flounder.net</a>&gt; wrote:<br>
&gt; You are talking about a deterrent though.  I think the question is,<br> &gt; what if someone cares more about their political cause than<br>
&gt; retaining their uploader access?<br>

they get one and only one chance to do something that stupid.<br>

&gt; What if someone&#39;s keys are compromised<br>

the response is swift: there was a debian developer wrongfully<br>
arrested for running a TOR exit node. their key was revoked<br> immediately.<br>

l.<br>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.project, linux.debian.security

On Mon, May 23, 2022 at 7:59 PM Adam McKenna <adam@flounder.net> wrote:

You are talking about a deterrent though. I think the question is,
what if someone cares more about their political cause than
retaining their uploader access?

they get one and only one chance to do something that stupid.

What if someone's keys are compromised

the response is swift: there was a debian developer wrongfully
arrested for running a TOR exit node. their key was revoked
immediately.

l.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)