加入 DD 的行列

zhaoway

我已经不是 DD 了。以前虽然一时爱好，加入过一阵子，但是自己的兴趣后来转到别的方面去了。而且自己当初对网上的交流活动也并不理解多少，曾经给别的 DD lart 过。说来惭愧。

写这篇帖子是希望更多的人，如果自己有兴趣的话，应该试着加入正式的 DD 。虽然也可以自己维护一个 repository 或者很多质量很好的 patch 。但是加入正式的 DD 还是有一些好处的。这个好处不光体现在自己工作的方便上面，对于整个国内 Debian 用户的培养与发展都是很好的。

原先国内大概是有个教育网和公网连接不畅的问题。现在这个问题应该好转不少了。而且现在国内公网上的 Debian 用户也越来越多。

关于加入 DD ，Debian 有很详细的文档手册说明一个一个的步骤的。我这里只是说一下签名的问题。人家是能够理解签名的困难的。所以这个并不是一定必需的步骤。我当时就是把自己的身分证扫描了一下，用 email 发给它们看了一下。其实对方负责验收我的那个 DD 也没有采取什么验证措施。所以不是很困难的。

zhaoway

对于众多的中文用户来说，如果能从遍布全球的 debian 的 apt 网络里面，很容易的就得到最好的中文软件，这本身就是一件很好的事情。

而且中文用户也并不只有国内有的。国外也有留学生啦，华人啦，学中文的人啦，希望能很方便的用到中文软件的。

zhaoway

自由软件的宗旨就是交流与合作。这也不光是个信仰的问题。从用户的角度讲，这其实就是方便与否的问题。象以前，国内做中文的都各自为营，虽然做的很好，但用户总是不能很方便，结果还是等到老外帮我们把 pango 啦这些东西都做好了，我们才能比较方便的使用中文。而以前国内做的那么多优秀的工作呢？现在已经都找不到了。

zhaoway

中文用户也不仅仅就在大陆这几个地方。加入 DD 也方便我们和香港台湾这些地方的开发者交流。象 ustc 这么强的地方，上次和一位香港做 linux 的人聊天，人家都不怎么知道。其实大家做的工作有好多相通的地方。互相研究，才能做的更好。

互相交流，不仅仅是效率更高。其实也更好玩呀。一个健康的社团，本来就对自由软件是很关键的。

namespace

也许你运气好，碰到“不认真”的DD，或是世道边了。实际上仅仅是这样是不行的。
People should only sign a key under at least two conditions:

   1. The key owner convinces the signer that the identity in the UID is indeed their own identity by whatever evidence the signer is willing to accept as convincing. Usually this means the key owner must present a government issued ID with a picture and information that match up with the key owner. (Some signers know that government issued ID's are easily forged and that the trustability of the issuing authorities is often suspect and so they may require additional and/or alternative evidence of identity).
   2. The key owner verifies that the fingerprint of the key about to be signed is indeed their own.

Most importantly, if the key owner is not actively participating in the exchange, you won't be able to complete either requisite 1 or 2. Nobody can complete the key owner's part of requisite 1 on the key owner's behalf, because otherwise anyone with a stolen ID card could easily get a PGP key to go with it by pretending to be an agent of the keyowner. Nobody can complete the key owner's part of requisite 2 on the key owner's behalf, since the agent could substitute the fingerprint for a different PGP key with the key owner's name on it and get someone to sign the wrong key.

说白了，你需要参加密钥交换大会，或通过别的人来延伸这种信任。当然香港或台湾的熟人就容易多了。

zhaoway

说到交流，英文好当然很方便。但这个也不是绝对的。debian 里面世界各地的人都有，好多人，包括我，英文水平都是一般般的。只要一些基本的技术问题能谈起来，就可以了。等到以后说中文的 dd 多了起来的话，大家可以互相帮助，英文更加不是问题了。

namespace

What you should not do

You should never sign a key for somebody else you haven't met personally. Signing a key based on anything other than first-hand knowledge destroys the utility of the Web of Trust. If ones friend presents other developers with your ID card and your fingerprint, but you are not there to verify that the fingerprint belongs to you, what do other developers have to link the fingerprint to the ID? They have only the friend's word, and the other signatures on your key -- this is no better than if they signed your key just because other people have signed it!

It is nice to get more signatures on ones key, and it is tempting to cut a few corners along the way. But having trustworthy signatures is more important than having many signatures, so it's very important that we keep the keysigning process as pure as we can. Signing someone else's key is an endorsement that you have first-hand evidence of the keyholder's identity. If you sign it when you don't really mean it, the Web of Trust can no longer be trusted.

zhaoway

最初由 namespace 发表
也许你运气好，碰到“不认真”的DD，或是世道边了。实际上仅仅是这样是不行的。
People should only sign a key under at least two conditions:

   1. The key owner convinces the signer that the identity in the UID is indeed their own identity by whatever evidence the signer is willing to accept as convincing. Usually this means the key owner must present a government issued ID with a picture and information that match up with the key owner. (Some signers know that government issued ID's are easily forged and that the trustability of the issuing authorities is often suspect and so they may require additional and/or alternative evidence of identity).
   2. The key owner verifies that the fingerprint of the key about to be signed is indeed their own.

Most importantly, if the key owner is not actively participating in the exchange, you won't be able to complete either requisite 1 or 2. Nobody can complete the key owner's part of requisite 1 on the key owner's behalf, because otherwise anyone with a stolen ID card could easily get a PGP key to go with it by pretending to be an agent of the keyowner. Nobody can complete the key owner's part of requisite 2 on the key owner's behalf, since the agent could substitute the fingerprint for a different PGP key with the key owner's name on it and get someone to sign the wrong key.

说白了，你需要参加密钥交换大会，或通过别的人来延伸这种信任。当然香港或台湾的熟人就容易多了。

sign a key 当然是很严肃的事情。即使在我加入的时候，也是很严肃的。我的 key 就一直没有被 sign 过。因为我从来没有面对面碰到别的 dd。所以，即使我 sign 了你的 key，你和我还是在一个孤岛上。没有用的。

但是加入 dd 对于 key 的要求并不是很严格的。特别对于大陆的具体的困难来说，别人都会理解的。debian 还不是这样死板的官僚机构。这个你可以放心的啦。

zhaoway

http://www.debian.org/devel/join/nm-step1

这上面有详细的说明的。关于 sign key

# The applicant's identity needs to be verified.

This is usually done by having at least one signature on the applicant's GPG key from a Debian Developer. If the applicant's location makes it impossible to get a key signed by another Debian Developer, a scanned photo of their drivers license or passport signed with their GPG key can be accepted as an alternative method of identification.

Wingsun

我也想要做一个Debian Developer，但是每一次看到debian那繁琐的手续就怕了。
我觉得最好还是有一个Debian Developer能够和我们沟通，我们做的贡献可以通过他传输出去，而不用通过这些繁琐的手续。