Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why should we always use our real names while generating GPG key? [closed]

Tags:

git

gnupg

I'm using GPG to sign my git commits as the project I'm working for wants.

But I use a pseudonym and I don't want to be identified like by my GPG signature.

Over here: it asks us to use only our real names (as in our passport or government issued ID).

What is the necessity? How can I maintain my anonymity with GPG?

like image 723
batman Avatar asked Sep 20 '14 11:09

batman


2 Answers

In general, this advice is linked to CLA (Contribution License Agreement), which defines the terms under which intellectual property has been contributed to a company/project, typically software under an open source license.

The Canonical contributor licence agreement for Ubuntu mentions in its FAQ that it uses now a copyright licence agreement (where the contributor grants permission for Canonical to distribute the contribution).

The Canonical Individual Contributor License Agreement is a deal between "You" and Canonical, so if you are using your GPG key, attaching it to a contribution to Canonical, its metadata should reflect "You" (actual name or address), in order for the IP (Intellectual Property) to be respected.

There are projects like CLAHub (Contributor License Agreements on GitHub) to make the process easier, but if you are using a GPG key for contributing to an open source project in the context of a CLA, then the information should be accurate.

If you are using the GPG key in any other context, you can associate any metadata (name/email, ...) that you want.

like image 121
VonC Avatar answered Sep 30 '22 08:09

VonC


It's not necessary. You referenced

  • recommendation|agreement
  • For Ubuntu-world only

But (is Wiki-reference OK for you?):

when verifying signatures, it is critical that the public key used to send messages to someone or some entity actually does 'belong' to the intended recipient. Simply downloading a public key from somewhere is not an overwhelming assurance of that association; deliberate (or accidental) impersonation is possible

because I can see (and get) a lot of different "learner"'s signatures, I want (under some conditions) be sure, who is each "learner" and know - is it the same person or I have any type of impersonation

PS: Security site of SE-family may be better and more relevant location for such type of questions

like image 20
Lazy Badger Avatar answered Sep 30 '22 09:09

Lazy Badger