Re: RFC: advise against using Proton Mail for Debian work?
Hi,
On 11/15/23 08:40, Nicholas D Steeves wrote:
1. I've received a report that this provider is not appropriate for DM
and DD use, because the key pair is stored on their servers. Ie: The
applicant doesn't control the means to validating identity and
authorship.
Correct. I'd even go as far and say that using it should be a
disqualifying factor. Upload permissions are tied to a gpg key, and the
holder of the key needs to at least demonstrate good practices in using
gpg, ideally also have enough understanding to be able to derive good
practices and not just follow a set of rules.
The gpg signature is not just a formal requirement where it doesn't
matter how it is generated, but an integral part of the trust chain.
A) Continue to explain this to new contributors on a one-by-one basis.
I think that is part of Tasks&Skills.
C) Proton Mail begins to do something differently on their end, such as
offering some features to Debian contributors that currently require a
subscription.
Unless that feature is "you control your own secrets", that makes no
difference, it remains unsuitable and anyone using it in this manner
demonstrates that they are not yet ready for the responsibilities of
Debian membership.
And "control your own secrets" as a perk of paid membership would be an
even bigger level of wrong.
Simon
Reply to: